FeishuBitable-Plus
v1.0.0-beta自然语言驱动飞书多维表格操作,支持CRUD、批量导入导出、跨表同步及数据质量分析,纯本地安全部署。
⭐ 0· 177·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description claim natural-language operations for Feishu Bitable; the package contains an API client (calls to open.feishu.cn), intent engine, CLI, and a config manager for storing App ID/App Secret—all coherent with the stated purpose. The declared Feishu scopes (bitable:app, bitable:record, bitable:table) match the functionality.
Instruction Scope
SKILL.md and README instruct only local CLI use (fbt config, fbt query, etc.). Runtime code follows that flow and calls only Feishu API endpoints. However, documentation and some CLI messages claim credentials are saved to the "system keychain" while the implemented ConfigManager stores Base64-encoded credentials in ~/.feishu-bitable-plus/credentials.json — this is a misleading/security-relevant discrepancy.
Install Mechanism
Registry metadata has no install script and the skill is distributed as source/compiled JS files (no external downloads during install). Dependencies are standard npm libs (axios, inquirer, node-cache). There are no suspicious remote download URLs or extract-from-URL steps in the bundle.
Credentials
The skill does not request unrelated environment variables; it legitimately needs Feishu App ID/App Secret and app-specific appToken (passed as CLI args). It does not declare a primaryEnv in registry metadata, but the code expects stored credentials. The credential storage is weak: credentials are stored Base64-encoded (not encrypted). This is proportionate to the feature set but a security concern in practice.
Persistence & Privilege
always:false (not force-included). The skill writes to a single config directory (~/.feishu-bitable-plus) and manages its own credentials file (mode 0o600). It does not modify other skills or global agent settings. Persistence is limited to its own config directory.
Assessment
This package appears to implement what it claims (a local CLI + intent engine + Feishu API client). Before installing or using it, consider the following:
- Credential handling: the code stores your App ID/App Secret in ~/.feishu-bitable-plus/credentials.json using Base64 encoding, which is reversible and not secure. Treat these files as sensitive, delete them when not in use, or modify the code to use a secure key store (e.g., keytar/system keychain).
- Documentation mismatch: README/CLI messages imply system keychain storage; in reality the implementation uses file storage. If you require true system keychain support, patch or request that feature.
- Source provenance: registry metadata lists source/homepage as unknown/none while package.json and README reference a GitHub repo. Prefer installing code from a verified source (inspect the GitHub repo/commit history) and confirm the package integrity.
- Network behavior: the client talks only to open.feishu.cn (Feishu Open API) and obtains a tenant_access_token using your App ID/Secret—this is expected. If you want to be extra cautious, run the CLI in a network-monitored or sandboxed environment the first time.
- Principle of least privilege: only grant the Feishu app the minimal scopes it needs and rotate credentials if you stop using the tool.
If you rely on strong credential protection for production use, do not use the default ConfigManager as-is; replace with secure keychain storage or encrypt the credentials with a secret only you control.Like a lobster shell, security has layers — review code before you run it.
automationvk974ev3jskrtdk5afyysz7y6m983gm4cbitablevk974ev3jskrtdk5afyysz7y6m983gm4cclivk974ev3jskrtdk5afyysz7y6m983gm4cdatabasevk974ev3jskrtdk5afyysz7y6m983gm4cfeishuvk974ev3jskrtdk5afyysz7y6m983gm4clarkvk974ev3jskrtdk5afyysz7y6m983gm4clatestvk974ev3jskrtdk5afyysz7y6m983gm4cproductivityvk974ev3jskrtdk5afyysz7y6m983gm4cspreadsheetvk974ev3jskrtdk5afyysz7y6m983gm4c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.