ClawHub

Feishu Sheets Skill

v1.0.0

Feishu online spreadsheet (Sheets) operations including create, read, write, append data, manage worksheets. Use when user mentions Feishu Sheets, online spr...

5· 4.5k·44 current·46 all-time
by@wesley138cn·duplicate of @wesley138cn/feishu-sheets
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (Feishu Sheets operations) matches the code's behavior (create/read/write/append sheets via Feishu APIs). However the package metadata declares no required environment variables or primary credential while the included script clearly expects FEISHU_APP_ID and FEISHU_APP_SECRET environment variables for authentication. That omission is a material mismatch.
!
Instruction Scope
SKILL.md documents spreadsheet actions and how to extract spreadsheet tokens from URLs, but it does not state how to obtain or supply the tenant access token nor mentions the need to set FEISHU_APP_ID/FEISHU_APP_SECRET. The runtime instructions therefore omit a necessary authentication step (the Python client calls the Feishu auth API using app_id/app_secret), which is scope/information missing from the manifest and instructions.
!
Install Mechanism
There is no install spec (instruction-only) which is low-risk in principle, but the included Python script requires the 'requests' library and a Python runtime. The registry does not declare these dependencies or required binaries. This mismatch can lead to runtime failures and hides the fact that code will run outbound HTTPS requests. No external or unusual download URLs are present.
!
Credentials
The script requires sensitive credentials (FEISHU_APP_ID and FEISHU_APP_SECRET) to obtain a tenant_access_token, but the registry metadata lists no required environment variables or primary credential. Requesting app_id/app_secret is reasonable for a Feishu Sheets client, but the lack of declaration is a red flag: you should not supply organization-wide or high-privilege secrets without understanding scope and owner. The requested credentials are proportionate to the feature set, but they must be explicitly declared and limited.
Persistence & Privilege
The skill is not marked always:true, does not claim to persist beyond its own operation, and does not modify other skills or system settings. It runs as a CLI-like client and uses network calls only to Feishu open-apis endpoints.
What to consider before installing
Before installing or enabling this skill: (1) Understand it will need FEISHU_APP_ID and FEISHU_APP_SECRET (sensitive credentials) even though the registry doesn't declare them—only provide credentials if you trust the skill owner and limit the app's permissions. (2) Review the included scripts/feishu_sheets.py yourself (or have someone you trust review it) since the runtime behavior is implemented in that file. (3) Ensure the environment has Python and the 'requests' library, or run in an isolated sandbox. (4) Prefer creating a minimal-scope Feishu app (least privilege) and rotate/revoke credentials after use. (5) If you are in an organization, consult your security/admin team before providing app credentials or running this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2e484a20mk51mne1pgb1as8197mg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments