lark-shared
Original:🇨🇳 Chinese
Translated
Lark CLI Shared Basics: Application configuration initialization, authentication login (auth login), identity switching (--as user/bot), permission and scope management, Permission denied error handling, and security rules. Triggered when users need to configure for the first time (`lark-cli config init`), use login authorization (`lark-cli auth login`), encounter insufficient permissions, switch user/bot identities, configure scope, or use lark-cli for the first time.
280.5kinstalls
Sourcelarksuite/cli
Added on
NPX Install
npx skill4agent add larksuite/cli lark-sharedTags
Translated version includes tags in frontmatterSKILL.md Content (Chinese)
View Translation Comparison →Lark CLI Shared Rules
This skill guides you on how to operate Lark resources via lark-cli and what precautions to take.
Configuration Initialization
Run to complete application configuration for first-time use.
lark-cli config initWhen helping users initialize configuration, use the background mode to initiate the application configuration process with the following command. After starting, read the output, extract the authorization link, and send it to the user:
bash
# Initiate configuration (this command will block until the user opens the link and completes the operation or it expires)
lark-cli config init --newAuthentication
Identity Types
There are two identity types, switchable via :
--as| Identity | Identifier | Obtaining Method | Applicable Scenarios |
|---|---|---|---|
| User Identity | | | Access the user's own resources (calendar, cloud storage, etc.) |
| Bot Application Identity | | Automatic, only requires appId + appSecret | Application-level operations, access the bot's own resources |
Identity Selection Principles
The output represents the current identity. Bot and user identities behave very differently, so ensure the identity meets the target requirements:
[identity: bot/user]- Bots cannot view user resources: Unable to access the user's calendar, cloud storage documents, email, and other personal resources. For example, querying schedules with returns the bot's own (empty) calendar
--as bot - Bots cannot operate on behalf of users: Messages are sent in the application's name, and created documents belong to the bot
- Bot Permissions: Only need to enable scopes in the Lark Developer Backend, no required
auth login - User Permissions: Both enabling scopes in the backend and user authorization via are required
auth login
Handling Insufficient Permissions
When encountering permission-related errors, adopt different solutions based on the current identity type.
Error responses contain key information:
- : Lists missing scopes (choose one from N)
permission_violations - : Link to permission configuration in the Lark Developer Backend
console_url - : Recommended fix command
hint
Bot Identity (--as bot
)
--as botProvide the from the error to the user and guide them to enable the required scopes in the backend. Prohibit executing for bots.
console_urlauth loginUser Identity (--as user
)
--as userbash
lark-cli auth login --domain <domain> # Authorize by business domain
lark-cli auth login --scope "<missing_scope>" # Authorize by specific scope (recommended, follows the principle of least privilege)Rule: auth login must specify a scope ( or ). Scopes from multiple logins will accumulate (incremental authorization).
--domain--scopeAgent-initiated Authentication (Recommended)
When you, as an AI agent, need to help users complete authentication, use background mode to execute the following command to initiate the authorization process, and send the authorization link to the user:
bash
# Initiate authorization (blocks until the user completes authorization or it expires)
lark-cli auth login --scope "calendar:calendar:readonly"
Security Rules
- Prohibit outputting secrets (appSecret, accessToken) in plaintext to the terminal.
- Must confirm user intent before performing write/delete operations.
- Use to preview dangerous requests.
--dry-run