Feishu Card
v1.0.0飞书互动卡片发送技能(国际版 Feishu 兼容)。当需要发送格式丰富的飞书卡片消息时使用。支持标题、Markdown 内容、颜色主题。关键:必须使用 schema 2.0 格式 + 双重 JSON stringify,否则国际版飞书(Feishu)无法渲染。
⭐ 0· 356·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Functionality matches the name/description: the code and docs construct a schema 2.0 Feishu interactive card and call Feishu's official endpoints. However, the skill metadata declares no required env vars or config paths while both SKILL.md and scripts/read_card.py require access to the OpenClaw config file (~/.openclaw/openclaw.json). This mismatch (undeclared credential/config requirement) is a material coherence issue.
Instruction Scope
SKILL.md explicitly instructs reading /root/.openclaw/openclaw.json to extract app_secret and provides a curl example that cat's the file into a shell variable — behavior that can leak secrets (shell history, process command lines, logs). The script itself reads ~/.openclaw/openclaw.json and extracts channels.feishu.appSecret. Aside from the secret access, the instructions stay within the stated purpose (obtaining a token and sending a card) and call only Feishu endpoints.
Install Mechanism
No install spec; this is an instruction-only skill with a small included helper script. Nothing is downloaded from external/untrusted URLs and nothing is installed automatically, which is low risk.
Credentials
The skill requires a Feishu app secret to operate, but the registry metadata lists no required environment variables or config paths and no primary credential. The script implicitly reads the user's OpenClaw config file to get the app secret; requesting access to that file (which may contain other secrets) is reasonable for authentication but should be declared. The hard-coded APP_ID is present in the code; that is expected but should be documented. Overall the credential access is reasonable for the task but underdeclared and potentially surprising.
Persistence & Privilege
The skill is not always-included, does not request elevated platform privileges, and does not modify other skills or system-wide settings. It runs as a simple utility script and only performs one-off token fetch and POST to Feishu.
What to consider before installing
This skill appears to do what it claims (construct and send Feishu schema 2.0 interactive cards), but it reads your OpenClaw configuration file (~/.openclaw/openclaw.json) to obtain the Feishu app_secret while the registry metadata declares no required credentials — that's an inconsistency you should address before installing. Recommended actions: 1) Inspect the file ~/.openclaw/openclaw.json to see what secrets it contains and whether you are comfortable the skill can read it. 2) Avoid running the curl example that uses cat to inject the secret into a shell variable (it can leak to logs or process listings); instead supply secrets via a safer mechanism (read-only file with strict permissions or an explicitly declared environment variable). 3) If you do not want the skill to read your OpenClaw config, modify the script to accept APP_SECRET via an environment variable or CLI argument and run it in a restricted account. 4) Verify the hard-coded APP_ID is expected for your environment. 5) If you need stronger assurance, request the author to update skill metadata to declare the required config path/credential and to remove any examples that expose secrets in shell history or logs.Like a lobster shell, security has layers — review code before you run it.
latest
飞书互动卡片发送技能
核心要点(必读)
飞书卡片有新旧两种格式:
- 旧版 components 格式:部分版本不兼容,显示"请升级至最新版本客户端"
- schema 2.0 格式:✅ 推荐,飞书 7.x 均支持
统一用 schema 2.0 即可,不管飞书是中文界面还是英文界面都能用。
关键:双重 JSON.stringify
import json
card = { ... } # 卡片对象
content = json.dumps(json.dumps(card)) # 必须 dumps 两次!
一次 stringify 不够,飞书 API 的 content 字段要求是 JSON 字符串。
卡片结构(schema 2.0)
{
"schema": "2.0",
"header": {
"title": {
"tag": "plain_text",
"content": "标题文字"
},
"template": "blue"
},
"body": {
"elements": [
{
"tag": "markdown",
"content": "**加粗** 普通文字\n\n支持换行"
}
]
}
}
header.template 颜色选项
blue— 蓝色(默认推荐)green— 绿色red— 红色orange— 橙色purple— 紫色grey— 灰色
body.elements 支持的 tag
markdown— Markdown 文本(支持 加粗、斜体、代码、链接)hr— 分割线:{"tag": "hr"}note— 底部备注
发送方式
方法一:用脚本(推荐)
python3 /root/.openclaw/workspace/skills/feishu-card/scripts/send_card.py \
--open-id "ou_xxxx" \
--title "标题" \
--content "**内容** 支持 Markdown" \
--template "blue"
方法二:用 message tool
直接调用 message tool,msg_type 需要写 interactive,content 需要双重 stringify(先序列化卡片对象,再序列化整个字符串)。
方法三:curl(手动)
APP_SECRET=$(cat /root/.openclaw/openclaw.json | python3 -c "import json,sys; d=json.load(sys.stdin); print(d['channels']['feishu']['appSecret'])")
TOKEN=$(curl -s -X POST "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \
-H "Content-Type: application/json" \
-d "{\"app_id\":\"cli_a9f5877b3378dbd8\",\"app_secret\":\"$APP_SECRET\"}" \
| python3 -c "import json,sys; print(json.load(sys.stdin)['tenant_access_token'])")
python3 -c "
import json
card = {
'schema': '2.0',
'header': {'title': {'tag': 'plain_text', 'content': '标题'}, 'template': 'blue'},
'body': {'elements': [{'tag': 'markdown', 'content': '内容'}]}
}
print(json.dumps(json.dumps(card)))
" | xargs -I{} curl -s -X POST \
"https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"receive_id\":\"ou_xxxx\",\"msg_type\":\"interactive\",\"content\":{}}"
已知信息(猫南北账号)
- open_id:
ou_22f2eefd5abe63e0cd67f4882cec06d4 - app_id:
cli_a9f5877b3378dbd8 - app_secret: 从
/root/.openclaw/openclaw.json读取 - 客户端版本: 飞书 7.62.6,schema 2.0 验证通过
排错
| 现象 | 原因 | 解决 |
|---|---|---|
| "请升级至最新版本客户端" | 用了旧版 components 格式 | 换成 schema 2.0 |
| code 400 JSON parse error | content 没有双重 stringify | json.dumps(json.dumps(card)) |
| 消息发出但内容为空 | schema 字段缺失 | 确保 "schema": "2.0" |
Comments
Loading comments...