openclaw自动化配置飞书,几乎不要人手动干预,测试成功
v1.0.0Automates Feishu integration with minimal manual input by handling authentication, messaging, events, APIs, error recovery, and fallback solutions.
⭐ 0· 329·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's declared registry metadata lists no required environment variables, but SKILL.md and config_schema.json clearly require Feishu credentials (app_id/app_secret and optional tokens, webhook_url). Requesting Feishu app credentials is appropriate for this skill, but the registry metadata omission is inconsistent and misleading.
Instruction Scope
SKILL.md stays within Feishu integration scope (auth flows, webhook handling, API calls). It instructs the agent to obtain and cache tokens, validate webhooks, and consult docs/community examples (i.e., network access). There are no instructions to read unrelated system files, but the skill claims 'never logs or exposes app secrets' and 'caches tokens securely'—those are promises, not enforced by metadata; you should review implementation to confirm they are honored.
Install Mechanism
No install spec (instruction-only) which reduces install-time risk. The package includes Python scripts and a requirements.txt listing common packages (lark-oapi, requests, pydantic). However, skill.json lists a slightly different dependency name ('lark-api' vs requirements.txt 'lark-oapi'), indicating packaging/metadata drift that could cause installation confusion.
Credentials
The skill legitimately needs Feishu credentials (app_id, app_secret, verification_token, webhook_url) and the config schema requires app_id/app_secret. However, the registry metadata's 'Required env vars: none' contradicts that. Examples and SKILL.md also reference storing logs to files—if logging is implemented poorly, secrets could leak to disk. Overall credential requests are expected for purpose, but the metadata inconsistency and unspecified token storage behavior are concerning.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does create a 'solutions' workspace directory (solve_feishu_integration.py) which means it will write files in the working directory; this is normal for a tool that generates code. No automatic modifications of other skills or system-wide settings are indicated.
What to consider before installing
This skill appears to be a reasonable Feishu integration helper, but several inconsistencies mean you should audit it before use. Specifically: (1) confirm how you are expected to provide credentials—SKILL.md/config expect app_id and app_secret, but the registry metadata incorrectly lists no required env vars; don't assume the platform will inject credentials automatically. (2) Inspect the code (solve_feishu_integration.py) to verify that secrets are never logged or written to disk and to see how tokens are cached; run it in a safe/test environment first. (3) Note the dependency name mismatch (skill.json vs requirements.txt) and ensure you install the correct packages. (4) Because the skill performs network calls (token requests, documentation/community lookups) run it in an environment where outbound requests are allowed and monitored, or block outbound connections during initial testing. (5) If you must provide real production app credentials, consider creating a limited-permission test app and not reuse high-privilege credentials until you’ve reviewed behavior. If you want, I can point out exact places in the code to inspect for secret-logging or token-storage behavior.Like a lobster shell, security has layers — review code before you run it.
latest
Feishu Integration Problem Solver
This skill automatically solves Feishu integration problems by researching official documentation, finding community solutions, and implementing the most reliable automation approach.
Capabilities
- Authentication & Authorization: Handles app_id/app_secret setup, tenant access tokens, user access tokens, and bot access tokens
- Message Handling: Supports text, rich text, cards, and file messages with proper formatting
- Event Processing: Webhook event handling with signature verification and proper response format
- API Integration: Comprehensive support for Feishu's service APIs including docs, drive, wiki, calendar, etc.
- Error Handling: Intelligent error diagnosis and recovery for common issues like token expiration, permission errors, and rate limiting
- Fallback Strategies: When complete automation isn't possible, provides alternative approaches and manual workarounds
Usage
Basic Integration Setup
When users mention Feishu integration issues, this skill will:
- Analyze the specific problem (authentication, messaging, API calls, etc.)
- Check if they have proper app credentials configured
- Implement the appropriate solution based on the use case
- Provide fallback options if automation isn't possible
Supported Scenarios
- Bot Development: Creating interactive bots that respond to messages and events
- Document Automation: Reading/writing Feishu documents and cloud files
- Workflow Integration: Connecting Feishu with external systems and services
- Permission Management: Handling sharing and collaboration permissions
- Knowledge Base Access: Reading and managing Feishu wiki/knowledge base content
Implementation Details
Authentication Flow
The skill implements the standard Feishu authentication flow:
- App Credentials: Uses
FEISHU_APP_IDandFEISHU_APP_SECRETfrom environment or configuration - Tenant Token: Automatically obtains and caches tenant access tokens with proper refresh logic
- User Tokens: Handles OAuth flows when user-specific actions are required
- Bot Tokens: Manages bot access tokens for messaging capabilities
Error Recovery
Common error scenarios and their solutions:
- Token Invalid (99991663): Automatically refreshes expired tokens
- Permission Denied (99991672): Guides users through permission setup in Feishu admin console
- Rate Limiting: Implements exponential backoff with jitter
- Network Issues: Provides retry logic with circuit breaker patterns
Fallback Strategies
When automation isn't possible:
- Manual Configuration Guide: Step-by-step instructions for manual setup
- Alternative APIs: Suggests different API endpoints or approaches
- Web Interface Workaround: Provides guidance for using Feishu web interface as alternative
- Community Solutions: References relevant GitHub repositories and community examples
Dependencies
This skill leverages existing Feishu skills when available:
feishu-doc: For document operationsfeishu-drive: For cloud storage managementfeishu-perm: For permission handlingfeishu-wiki: For knowledge base operations
If these skills aren't available, it implements basic functionality directly using Feishu's REST APIs.
Security Considerations
- Credential Management: Never logs or exposes app secrets
- Token Storage: Caches tokens securely with automatic expiration
- Input Validation: Validates all inputs to prevent injection attacks
- Rate Limiting: Respects Feishu's API rate limits to avoid account restrictions
Testing & Validation
The skill includes built-in validation:
- Connection Test: Verifies app credentials and basic connectivity
- Permission Check: Validates required permissions before attempting operations
- Mock Mode: Allows testing without making actual API calls (for development)
- Diagnostic Output: Provides detailed logs for troubleshooting
Examples
Example 1: Bot Message Handling
User: "My Feishu bot isn't receiving messages"
Skill: Checks webhook configuration, verifies signature validation, tests message routing
Example 2: Document Access
User: "I can't read Feishu documents programmatically"
Skill: Implements document reading with proper authentication, handles permission errors, suggests alternative approaches
Example 3: Permission Issues
User: "Getting permission denied when trying to share files"
Skill: Guides through permission setup, implements proper sharing workflow, provides manual workaround
Comments
Loading comments...