Lark Apps

Name: Lark Apps
Author: larksuite

larksuite/cli

Inspect Feishu/Lark app visibility and access-scope settings via lark-cli before changing who can install or use your bot.

Overview

Lark Apps is an agent skill for the Build phase that documents how to query a Lark/Feishu application's access-scope configuration with lark-cli `apps +access-scope-get`.

Install

npx skills add https://github.com/larksuite/cli --skill lark-apps

What is this skill?

Single GET `/apps/{appId}/access-scope` call via `lark-cli apps +access-scope-get`
Returns scope enum All, Tenant, or Range with users, departments, chats, and optional apply_config
Documents public-scope `require_login` and Range approver constraints
Depends on lark-shared skill for shared CLI prerequisites
Maps CLI flags (`public`, `tenant`, `specific`) to server scope string semantics
1 GET /apps/{appId}/access-scope call per inspection
3 scope enum values: All, Tenant, Range

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 57.4k installs on skills.sh; 13.7k GitHub stars.

What problem does it solve?

You shipped a Lark app but cannot tell whether it is public, tenant-only, or restricted to specific users and chats without digging through console docs.

Who is it for?

Indie devs and small teams integrating Lark bots or internal apps who automate config checks from the terminal or an agent.

Skip if: Non-Lark stacks, frontend UI work, or mutating access scope without reading lark-shared auth setup first.

When should I use this skill?

User needs to read Lark app access-scope with lark-cli or understand All vs Tenant vs Range visibility for an app_id.

What do I get? / Deliverables

You run one documented CLI call and get a structured scope report you can paste into tickets, runbooks, or agent plans before changing visibility.

Parsed access-scope JSON report
Human-readable visibility summary by scope type

Recommended Skills

Lark Drivelarksuite/cli

Feishu cloud space skill for lark-cli: file CRUD, smart search, imports to online docs/sheets/bases, permissions, and ve…209k installs·13.7k stars

Lark Sharedlarksuite/cli

Cross-cutting lark-cli guide for configuration, user/bot auth, scope errors, CLI updates, and safe handling of auth URLs…209k installs·13.7k stars

Lark Minuteslarksuite/cli

Focused lark-cli shortcut for fetching Minute recording files or signed URLs with batch and path controls.208k installs·13.7k stars

Tzstxixu-me/skills

Guides end-to-end tzst CLI workflows for zstd tar archives from preflight through troubleshooting.197k installs·61 stars

Runcomfy Cliagentspace-so/runcomfy-agent-skills

Core RunComfy CLI skill teaching agents how to authenticate, discover models, submit jobs, and retrieve results from the…154k installs·15 stars

Caveman Helpjuliusbrussee/caveman

Ephemeral Caveman command reference invoked via /caveman-help or natural phrases, output in caveman style only for that …133k installs·70k stars

Journey fit

Primary fit

BuildIntegrations & version control

Build integrations is where Lark app IDs, OAuth scopes, and tenant visibility are configured—this command is an operational read on that integration surface. Integrations subphase fits third-party workplace app configuration rather than frontend UI or generic PM docs.

How it compares

A command-reference slice of the Lark CLI skill pack, not a full MCP server or generic REST client generator.

Common Questions / FAQ

Who is lark-apps for?

Developers building on Lark/Feishu who use lark-cli and need agents to correctly call the apps access-scope GET endpoint.

When should I use lark-apps?

During Build integrations when verifying app visibility before release, after scope changes in the admin console, or when writing internal docs on who can install your app.

Is lark-apps safe to install?

Following the skill implies network API calls and app credentials via lark-cli—verify package integrity and audits on this Prism page before running in production tenants.

Workflow Chain

Requires first: lark shared

SKILL.md

READMESKILL.md - Lark Apps

# apps +access-scope-get

> **前置条件：** 先阅读 [`../lark-shared/SKILL.md`](../../lark-shared/SKILL.md)。

获取应用当前的可用范围配置。一次 `GET /apps/{appId}/access-scope` 调用，响应原样透传服务端契约（字符串 scope 枚举 + 拆分数组）。

## 命令

```bash
lark-cli apps +access-scope-get --app-id app_xxx
```

## 参数

| 参数 | 必填 | 说明 |
|---|---|---|
| `--app-id <id>` | ✅ | 应用 ID |

## 返回值

**成功（specific，三种 target 类型混合）：**

```json
{
  "ok": true,
  "data": {
    "scope": "Range",
    "users": ["ou_xxx", "ou_yyy"],
    "departments": ["od_xxx"],
    "chats": ["oc_xxx"],
    "apply_config": {
      "enabled": true,
      "approvers": ["ou_approver"]
    }
  }
}
```

**成功（public + 免登）：**

```json
{ "ok": true, "data": { "scope": "All", "require_login": false } }
```

**成功（tenant）：**

```json
{ "ok": true, "data": { "scope": "Tenant" } }
```

**失败：**

```json
{ "ok": false, "error": { "type": "api", "message": "...", "hint": "..." } }
```

## 字段语义

- `scope` 是**字符串枚举**：
  - `"All"` = 互联网公开 — 对应 `apps +access-scope-set --scope public`
  - `"Tenant"` = 组织内 — 对应 `--scope tenant`
  - `"Range"` = 部分人员 — 对应 `--scope specific`
- `users` / `departments` / `chats` 三个数组（仅 `scope="Range"` 时）：服务端拆分形态，CLI 不合并回统一 targets
- `apply_config`（可选，仅 `scope="Range"` 且申请开启时）：含 `enabled` 和 `approvers`（只允许一个 user open_id）
- `require_login`（仅 `scope="All"` 时）：bool

## 典型场景

### 场景 1：查看当前应用对谁可见

```bash
lark-cli apps +access-scope-get --app-id app_xxx
```

按 `scope` 值组装报告：
- `scope="All"` → "应用 `{app_id}` 当前互联网公开（require_login={require_login}）"
- `scope="Tenant"` → "应用 `{app_id}` 当前对企业全员可见"
- `scope="Range"` → "应用 `{app_id}` 当前指定可见，包含 N 个用户 / M 个部门 / K 个群"

### 场景 2：把 GET 响应拼回 `+access-scope-set` 命令（复制 / 备份可用范围）

```bash
# 拼一个 --targets JSON 数组（jq）
lark-cli apps +access-scope-get --app-id app_src -q '
  .data
  | (.users        // [] | map({type:"user",       id:.}))
  + (.departments // [] | map({type:"department", id:.}))
  + (.chats        // [] | map({type:"chat",       id:.}))
'
```

得到 `[{"type":"user","id":"ou_x"}, ...]` 数组，可作为 `apps +access-scope-set --targets '...'` 的入参。

## 协同命令

| 场景 | 命令 |
|---|---|
| 设置可用范围 | `apps +access-scope-set` |
| 拿 app_id | 从用户提供的妙搭应用链接 `https://miaoda.feishu.cn/app/app_xxx` 的 `/app/` 后面提取，或让用户直接给 `app_xxx` 字符串（详见 `../SKILL.md`） |

## 参考

- [lark-apps](../SKILL.md)
- [lark-shared](../../lark-shared/SKILL.md)


# apps +access-scope-set

> **前置条件：** 先阅读 [`../lark-shared/SKILL.md`](../../lark-shared/SKILL.md)。

设置应用的可用范围。三种 scope 形态互斥：`specific`（指定可见）、`public`（互联网公开）、`tenant`（企业全员）。

## 命令

```bash
# 指定可见 + 允许申请（targets 支持 user / department / chat 三种类型）
lark-cli apps +access-scope-set --app-id app_xxx \
  --scope specific \
  --targets '[{"type":"user","id":"ou_xxx"},{"type":"department","id":"od_xxx"},{"type":"chat","id":"oc_xxx"}]' \
  --apply-enabled \
  --approver ou_yyy

# 互联网公开 + 免登
lark-cli apps +access-scope-set --app-id app_xxx --scope public --require-login=false

# 企业全员
lark-cli apps +access-scope-set --app-id app_xxx --scope tenant
```

## 参数

| 参数 | 必填 | 说明 |
|---|---|---|
| `--app-id <id>` | ✅ | 应用 ID |
| `--scope <enum>` | ✅ | `specific` / `public` / `tenant` |
| `--targets <json>` | scope=specific 必填 | targets JSON 数组，每项 `{"type":"user\|department\|chat", "id":"<id>"}` |
| `--apply-enabled` | scope=specific 可选 | 是否允许申请访问 |
| `--approver <ou_xxx>` | `--apply-enabled` 必填 | 申请审批人（**只能传一个 user open_id**，服务端限制） |
| `--require-login` | scope=public 必填 | 是否要求登录 |

## 互斥校验（Validate 阶段，不通过直接报错不发请求）

- `scope=specific`：必传 `--targets`；不允许 `--require-login`
- `scope=public`：必传 `--require-login`；不允许 `--targets` / `--apply-enabled` / `--approver`
- `scope=tenant`：不允许任何其它 flag
- `--targets` 内每项的 `type` 必须是 `user` / `department` / `chat` 之一

## 返回值

**成功：**

```json
{ "ok": true, "data": {} }
```

**API 失败：**

```json
{ "ok": false, "error": { "type": "api", "message": "...", "hint": "..." } }
```

**Validate 失败（互斥违反，CLI 本地校验）：**

```json
{ "ok": false, "error": { "type": "validation", "message": "--targets is required when --scope=specific" } }
```

## 字段语义

- 成功时 `data` 为空对象，C

What is this skill?

Single GET `/apps/{appId}/access-scope` call via `lark-cli apps +access-scope-get`

Returns scope enum All, Tenant, or Range with users, departments, chats, and optional apply_config

Documents public-scope `require_login` and Range approver constraints

Depends on lark-shared skill for shared CLI prerequisites

Maps CLI flags (`public`, `tenant`, `specific`) to server scope string semantics

1 GET /apps/{appId}/access-scope call per inspection

3 scope enum values: All, Tenant, Range

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 57.4k installs on skills.sh; 13.7k GitHub stars.

Journey fit

Primary fit

BuildIntegrations & version control

SKILL.md

READMESKILL.md - Lark Apps

# apps +access-scope-get

> **前置条件：** 先阅读 [`../lark-shared/SKILL.md`](../../lark-shared/SKILL.md)。

获取应用当前的可用范围配置。一次 `GET /apps/{appId}/access-scope` 调用，响应原样透传服务端契约（字符串 scope 枚举 + 拆分数组）。

## 命令

```bash
lark-cli apps +access-scope-get --app-id app_xxx
```

## 参数

| 参数 | 必填 | 说明 |
|---|---|---|
| `--app-id <id>` | ✅ | 应用 ID |

## 返回值

**成功（specific，三种 target 类型混合）：**

```json
{
  "ok": true,
  "data": {
    "scope": "Range",
    "users": ["ou_xxx", "ou_yyy"],
    "departments": ["od_xxx"],
    "chats": ["oc_xxx"],
    "apply_config": {
      "enabled": true,
      "approvers": ["ou_approver"]
    }
  }
}
```

**成功（public + 免登）：**

```json
{ "ok": true, "data": { "scope": "All", "require_login": false } }
```

**成功（tenant）：**

```json
{ "ok": true, "data": { "scope": "Tenant" } }
```

**失败：**

```json
{ "ok": false, "error": { "type": "api", "message": "...", "hint": "..." } }
```

## 字段语义

- `scope` 是**字符串枚举**：
  - `"All"` = 互联网公开 — 对应 `apps +access-scope-set --scope public`
  - `"Tenant"` = 组织内 — 对应 `--scope tenant`
  - `"Range"` = 部分人员 — 对应 `--scope specific`
- `users` / `departments` / `chats` 三个数组（仅 `scope="Range"` 时）：服务端拆分形态，CLI 不合并回统一 targets
- `apply_config`（可选，仅 `scope="Range"` 且申请开启时）：含 `enabled` 和 `approvers`（只允许一个 user open_id）
- `require_login`（仅 `scope="All"` 时）：bool

## 典型场景

### 场景 1：查看当前应用对谁可见

```bash
lark-cli apps +access-scope-get --app-id app_xxx
```

按 `scope` 值组装报告：
- `scope="All"` → "应用 `{app_id}` 当前互联网公开（require_login={require_login}）"
- `scope="Tenant"` → "应用 `{app_id}` 当前对企业全员可见"
- `scope="Range"` → "应用 `{app_id}` 当前指定可见，包含 N 个用户 / M 个部门 / K 个群"

### 场景 2：把 GET 响应拼回 `+access-scope-set` 命令（复制 / 备份可用范围）

```bash
# 拼一个 --targets JSON 数组（jq）
lark-cli apps +access-scope-get --app-id app_src -q '
  .data
  | (.users        // [] | map({type:"user",       id:.}))
  + (.departments // [] | map({type:"department", id:.}))
  + (.chats        // [] | map({type:"chat",       id:.}))
'
```

得到 `[{"type":"user","id":"ou_x"}, ...]` 数组，可作为 `apps +access-scope-set --targets '...'` 的入参。

## 协同命令

| 场景 | 命令 |
|---|---|
| 设置可用范围 | `apps +access-scope-set` |
| 拿 app_id | 从用户提供的妙搭应用链接 `https://miaoda.feishu.cn/app/app_xxx` 的 `/app/` 后面提取，或让用户直接给 `app_xxx` 字符串（详见 `../SKILL.md`） |

## 参考

- [lark-apps](../SKILL.md)
- [lark-shared](../../lark-shared/SKILL.md)


# apps +access-scope-set

> **前置条件：** 先阅读 [`../lark-shared/SKILL.md`](../../lark-shared/SKILL.md)。

设置应用的可用范围。三种 scope 形态互斥：`specific`（指定可见）、`public`（互联网公开）、`tenant`（企业全员）。

## 命令

```bash
# 指定可见 + 允许申请（targets 支持 user / department / chat 三种类型）
lark-cli apps +access-scope-set --app-id app_xxx \
  --scope specific \
  --targets '[{"type":"user","id":"ou_xxx"},{"type":"department","id":"od_xxx"},{"type":"chat","id":"oc_xxx"}]' \
  --apply-enabled \
  --approver ou_yyy

# 互联网公开 + 免登
lark-cli apps +access-scope-set --app-id app_xxx --scope public --require-login=false

# 企业全员
lark-cli apps +access-scope-set --app-id app_xxx --scope tenant
```

## 参数

| 参数 | 必填 | 说明 |
|---|---|---|
| `--app-id <id>` | ✅ | 应用 ID |
| `--scope <enum>` | ✅ | `specific` / `public` / `tenant` |
| `--targets <json>` | scope=specific 必填 | targets JSON 数组，每项 `{"type":"user\|department\|chat", "id":"<id>"}` |
| `--apply-enabled` | scope=specific 可选 | 是否允许申请访问 |
| `--approver <ou_xxx>` | `--apply-enabled` 必填 | 申请审批人（**只能传一个 user open_id**，服务端限制） |
| `--require-login` | scope=public 必填 | 是否要求登录 |

## 互斥校验（Validate 阶段，不通过直接报错不发请求）

- `scope=specific`：必传 `--targets`；不允许 `--require-login`
- `scope=public`：必传 `--require-login`；不允许 `--targets` / `--apply-enabled` / `--approver`
- `scope=tenant`：不允许任何其它 flag
- `--targets` 内每项的 `type` 必须是 `user` / `department` / `chat` 之一

## 返回值

**成功：**

```json
{ "ok": true, "data": {} }
```

**API 失败：**

```json
{ "ok": false, "error": { "type": "api", "message": "...", "hint": "..." } }
```

**Validate 失败（互斥违反，CLI 本地校验）：**

```json
{ "ok": false, "error": { "type": "validation", "message": "--targets is required when --scope=specific" } }
```

## 字段语义

- 成功时 `data` 为空对象，C

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is lark-apps for?

When should I use lark-apps?

Is lark-apps safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is lark-apps for?

When should I use lark-apps?

Is lark-apps safe to install?

SKILL.md