@yoreland/lark-cli-mcp

One-line npx MCP server that lets AI clients (Amazon Quick Desktop, Claude Desktop, …) operate Feishu / Lark as your own user identity — send, read, reply, and search messages.

It wraps the official lark-cli (bundled as a dependency, no separate install) and exposes 7 messaging tools over MCP stdio. Because every call runs with --as user, the sender shown in Feishu is you, not a bot.

Quick start (for workshop attendees)

# 1) Log in once (OAuth device flow — opens a URL / shows a QR code)
npx -y @yoreland/lark-cli-mcp auth

# 2) Sanity check
npx -y @yoreland/lark-cli-mcp doctor

Then add the MCP server in your client:

You should see 7 tools · Connected ✅

Quick Desktop tip: arguments are space-split. -y @yoreland/lark-cli-mcp is fine (no spaces inside the package name).

Prerequisites

• Node.js v18+ (node -v)

• An MCP client (Amazon Quick Desktop / Claude Desktop / etc.)

• A Feishu/Lark account in the org running the workshop

• Network access to npm registry and Feishu OAuth

The Feishu App ID / Secret is provided centrally by the workshop host and baked into the shared lark-cli config — attendees only do the OAuth login step. (See Host setup.)

Behind the Great Firewall? Use a mirror: npm config set registry https://registry.npmmirror.com

Commands

npx -y @yoreland/lark-cli-mcp            # start MCP server (stdio) — what the client runs
npx -y @yoreland/lark-cli-mcp auth       # OAuth device-flow login (user identity)
npx -y @yoreland/lark-cli-mcp status     # show auth status
npx -y @yoreland/lark-cli-mcp logout     # clear token
npx -y @yoreland/lark-cli-mcp doctor     # environment + login self-check
npx -y @yoreland/lark-cli-mcp -- <args>  # passthrough to bundled lark-cli

The 7 tools

Talk to it naturally

Host setup

The workshop host creates one Feishu custom app and configures it so attendees share the same App ID/Secret but each authorize their own account.

1. Feishu Open Platform → create an internal custom app → note App ID / App Secret.

2. Enable User token scopes matching the im, contact, search domains (message read/write, reply, chat read, user search, message search).

3. Distribute the App ID/Secret to attendees via lark-cli config (or a pre-bound config). The login step requests scopes via --domain im,contact.

auth uses OAuth Device Flow, so no redirect URL / localhost:3000 callback configuration is required.

Troubleshooting

missing required scope(s) — re-login with the needed domain:

npx -y @yoreland/lark-cli-mcp auth --domain im,contact

Client shows "No tools loaded" — run npx -y @yoreland/lark-cli-mcp doctor; confirm Node ≥18 and that auth status is OK.

Token expired — just re-run auth.

Known limitations

• No image/file attachment sending (text + markdown only)

• No interactive cards

• No group creation

• Tokens expire; re-run auth when they do

How it works

MCP client (Quick Desktop / Claude Desktop)
    │  stdio (MCP / JSON-RPC)
    ▼
@yoreland/lark-cli-mcp  (server.mjs)
    │  child_process.execFile (no shell → injection-safe)
    ▼
lark-cli --as user   (bundled dependency)
    │  OAuth user_access_token (device flow)
    ▼
Feishu / Lark Open API

License

MIT