ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Merged Msg

v1.0.0

Fetch and parse Feishu merged/forwarded messages (合并转发消息). Activate when a Feishu message shows "Merged and Forwarded Message" with no readable content, or w...

0· 358·0 current·0 all-time
bydeadblue@deadblue22
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Functionality (retrieving sub-messages from Feishu merge_forward messages) matches the name and code: the included shell script exchanges app credentials for a tenant token and calls the Feishu messages API. However, the package declares no required credentials/config paths while the README explicitly requires app_id/app_secret (and suggests pulling them from local OpenClaw config), which is an inconsistency.
!
Instruction Scope
SKILL.md explicitly instructs the agent to run a script and — if credentials are not available — to execute a python one-liner that loads /root/.openclaw/openclaw.json to print appId/appSecret. That directs reading a local config file containing secrets that was not declared and encourages printing sensitive credentials to stdout.
Install Mechanism
No install spec; the skill is instruction-only with a small included shell script. The script itself is straightforward (curl + python JSON parse) and does not download or install external code.
!
Credentials
Needing Feishu app_id/app_secret is reasonable for the stated API access, but the skill fails to declare required credentials/config paths while telling the agent how to extract secrets from a local OpenClaw config. This encourages access to local secrets beyond what the manifest advertises and risks exposing other stored credentials if the path contains more than just Feishu keys.
Persistence & Privilege
Skill does not request persistent/always-on privileges and does not modify other skills or system settings. It runs on demand and performs immediate API calls only.
What to consider before installing
This skill appears to do what it says (fetch Feishu merged messages) but it instructs the agent to read and print secrets from your local OpenClaw config (/root/.openclaw/openclaw.json) while the manifest doesn't declare that requirement. Before installing or running it: (1) verify the skill's origin — source and homepage are unknown; (2) do not run the provided python snippet that prints credentials to stdout — instead fetch app_id/app_secret manually from your secret store; (3) prefer creating a Feishu app with minimal scope (im:message:readonly) and short-lived/test credentials; (4) inspect and run the shell script in a safe/isolated environment; (5) consider adding an explicit config requirement or removing the instruction to read the OpenClaw config so the skill does not encourage inadvertent exposure of other secrets. If you need to use it, provide only the minimal credentials the script requires and avoid exposing your entire openclaw.json.

Like a lobster shell, security has layers — review code before you run it.

latestvk975yy42s45z5nqp8c8z12wx2h829hwh
358downloads
0stars
1versions
Updated 13h ago
v1.0.0
MIT-0
deadblue@deadblue22
latest
Download

Feishu Merged Message Fetcher

Feishu's merge_forward messages appear as "Merged and Forwarded Message" with no content in the bot API. Use the Feishu REST API to retrieve the actual sub-messages.

When to Use

  • Message body contains only "Merged and Forwarded Message"
  • msg_type is merge_forward
  • User asks about a forwarded/合并转发 message you can't read

How It Works

The Feishu GET /open-apis/im/v1/messages/{message_id} endpoint returns the parent message plus all sub-messages in data.items[]. Sub-messages have upper_message_id pointing to the parent.

Steps

  1. Get the message_id of the merged message (from inbound context or replied message metadata).

  2. Run the fetch script:

    bash <skill_dir>/scripts/fetch_merged_msg.sh <message_id> <app_id> <app_secret>
    • app_id / app_secret: from OpenClaw config at .channels.feishu in openclaw.json
    • If credentials are not readily available, extract them: 
      python3 -c "import json; d=json.load(open('/root/.openclaw/openclaw.json')); c=d['channels']['feishu']; print(c.get('appId',''), c.get('appSecret',''))"

  3. Parse the JSON response:

    • data.items[0] is the parent (merge_forward) message
    • data.items[1:] are the sub-messages in chronological order
    • Each sub-message has body.content with the actual text/post content
    • mentions[] maps @_user_N placeholders to real names
    • sender.id identifies who sent each sub-message

  4. Summarize the conversation thread for the user.

Notes

  • The API requires im:message:readonly scope on the Feishu app.
  • Images inside sub-messages show as image_key references; they cannot be directly displayed but can be described from context.
  • Sub-messages may come from different chats (check chat_id); the original chat context may differ from the current group.

Comments

Loading comments...