ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Thread Forward

v1.0.0

Forward Feishu thread/topic to a user, group, or topic via REST API. Activate when: forwarding a thread/topic to another chat, sharing a topic post to a diff...

0· 333·0 current·0 all-time
bydeadblue@deadblue22

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for deadblue22/feishu-thread-forward.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Feishu Thread Forward" (deadblue22/feishu-thread-forward) from ClawHub.
Skill page: https://clawhub.ai/deadblue22/feishu-thread-forward
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install deadblue22/feishu-thread-forward

ClawHub CLI

Package manager switcher

npx clawhub@latest install feishu-thread-forward
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Functionality (forwarding Feishu threads via Feishu Open API) matches the name/description and the included script implements that flow. However the skill's metadata declares no credentials or config paths, while the code and SKILL.md require reading /root/.openclaw/openclaw.json to obtain appId/appSecret — this omission is inconsistent with the stated purpose/requirements.
!
Instruction Scope
SKILL.md and the script instruct the agent to read /root/.openclaw/openclaw.json to get channels.feishu.appId and appSecret and then call Feishu APIs. Reading a global OpenClaw config file is scope-expanding because that file may contain credentials for multiple channels; the instructions do not constrain or justify reading the entire file or declare that access.
Install Mechanism
No install spec (instruction-only plus a small helper script). No downloads or archive extraction. The script uses standard Python stdlib (urllib) and performs straightforward HTTP calls — low install risk.
!
Credentials
The skill requires Feishu appId/appSecret but declares no required env vars or config paths in metadata. Instead it hardcodes a path (/root/.openclaw/openclaw.json). This is disproportionate because that global file likely contains other credentials/tokens; asking to read it without declaring it risks exposing unrelated secrets. The script does not exfiltrate data beyond Feishu endpoints, but local file access is overly broad and undeclared.
Persistence & Privilege
The skill is not always:true and does not request persistent system presence or modify other skills. It runs on demand and performs network calls only to Feishu endpoints.
What to consider before installing
This skill implements Feishu thread forwarding and needs Feishu appId/appSecret — that's expected — but it obtains them by reading /root/.openclaw/openclaw.json, a global OpenClaw config that may contain other secrets. Before installing: (1) inspect the file /root/.openclaw/openclaw.json to see what keys it contains; (2) prefer supplying only the Feishu credentials (or an explicit config path) rather than allowing the skill to read a global config; (3) ask the publisher to declare the required config path in the skill metadata or to accept credentials via environment variables; (4) only install if you trust the source, since the skill will read a local file and perform network requests to api.open.feishu.cn. If you cannot verify the config contents or trust the publisher, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b50zpk68wkn1ngh9g1sfyf982be55
333downloads
0stars
1versions
Updated 15h ago
v1.0.0
MIT-0
deadblue@deadblue22
latest
Download

Feishu Thread Forward

Forward a Feishu thread (话题) to a user, group, or another topic using the Feishu Open API.

When to Use

  • User asks to forward/share a thread or topic to another group or user
  • You need to cross-post a topic post from one group to another
  • The built-in message tool cannot do thread-level forwarding

API

POST https://open.feishu.cn/open-apis/im/v1/threads/{thread_id}/forward?receive_id_type={type}

Parameters

ParamLocationRequiredDescription
thread_idpathyesThread ID to forward (format: omt_xxxxx)
receive_id_typequeryyesTarget ID type: open_id, chat_id, user_id, union_id, email, thread_id
receive_idbodyyesTarget ID matching the receive_id_type
uuidquerynoIdempotency key (max 50 chars, dedup within 1 hour)

Headers

Authorization: Bearer {tenant_access_token}
Content-Type: application/json

How to Get thread_id

A message in a topic group has a thread_id field. Retrieve it via:

GET https://open.feishu.cn/open-apis/im/v1/messages/{message_id}

The response data.items[0].thread_id contains the thread ID (e.g., omt_1accc5a75c0f9b93).

Script

Use scripts/forward_thread.py for the complete implementation.

python3 skills/feishu-thread-forward/scripts/forward_thread.py \
  --thread-id omt_xxxxx \
  --receive-id oc_xxxxx \
  --receive-id-type chat_id

Typical Flow

  1. Get thread_id — from the message's metadata, or by calling GET message API
  2. Call forward APIPOST /im/v1/threads/{thread_id}/forward
  3. Result — a merge_forward type message appears in the target chat as a clickable topic card

Forward vs Merge Forward vs Message Forward

MethodAPIResult
Thread forward (this skill)POST /threads/{thread_id}/forwardTopic card (clickable, shows thread context) ✅
Merge forwardPOST /messages/merge_forward"群聊会话记录" bundle (expandable message list)
Message forwardPOST /messages/{message_id}/forwardSingle message copied to target (loses thread context)

Thread forward is what users see when they click "转发话题" in Feishu client.

Prerequisites

  • Bot must be in the source group (and can see the thread)
  • Bot must be in the target group (or target user must be in bot's availability scope)
  • Bot needs im:message or im:message:send_as_bot permission

Credentials

Read from /root/.openclaw/openclaw.jsonchannels.feishu.appId / channels.feishu.appSecret to obtain tenant_access_token.

Error Codes

CodeMeaning
230002Bot not in target group
230013Target user not in bot's availability scope
230064Invalid thread_id
230066Thread is in a secret group (no forwarding)
230070Thread's group has anti-leak mode enabled
230073Thread invisible to bot (joined after thread creation + history hidden)

Comments

Loading comments...