ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Group Helper

v0.1.0

Manage Feishu group info, record join/leave events, and send messages to groups with name lookup and active group confirmation.

0· 95·0 current·0 all-time
bymsx.pan@panmenglin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to maintain Feishu group info and assist sending messages. The included code implements local JSON storage and management functions (add/remove/list/sync) which is consistent. However SKILL.md explicitly states the file lives at ~/openclaw/workspace/feishu-groups.json per agent, while scripts/groupManager.js defaults to process.cwd()/feishu-groups.json. That mismatch could lead to data being written somewhere other than the documented agent workspace. The module also exposes setGroupsFilePath(customPath) allowing callers to point the storage file to an arbitrary path — this capability is useful but also enables overwriting/reading files outside the promised workspace if misused.
!
Instruction Scope
SKILL.md instructs using platform Feishu helpers (feishu_chat, feishu_app_scopes(), message sending) but the code does not perform any network or credential operations itself — it only manages local data. That's acceptable if the platform provides the Feishu integration, but the instructions assume those platform APIs and permissions exist. The instructions and code both read/write a local JSON file; they do not transmit data externally. The concern is that the instructions claim a fixed workspace path while the code uses process.cwd() and permits a custom path, giving the agent discretion to access arbitrary filesystem locations if callers pass a different path.
Install Mechanism
No install spec, no downloads, and no additional binaries — instruction-only plus a small local JS module. This is low-risk from an install/execution-distribution perspective.
Credentials
The skill declares no required environment variables or credentials, which matches the module (it doesn't call Feishu APIs directly). SKILL.md discusses Feishu permissions and platform functions but does not request or document any credentials in the skill metadata — this is fine if the platform supplies them, but you should confirm how Feishu tokens/permissions are provided and whether the platform will expose them to this skill when invoked.
Persistence & Privilege
always: false and the skill does not request permanent system-wide presence or modify other skills. It writes to a local JSON file under a configurable path (module-level state), which is normal for this type of helper.
What to consider before installing
This skill is primarily a local JSON-based group metadata manager and appears to do what it says, but take these precautions before installing: - Confirm file location: SKILL.md says the file should live under the agent workspace (~/openclaw/workspace/feishu-groups.json) but the code defaults to process.cwd()/feishu-groups.json. Ensure initGroupsFile or setGroupsFilePath is called with an explicit path inside your agent workspace so data isn't written to an unexpected directory. - Restrict custom path usage: The exported setGroupsFilePath(customPath) can point the module at any filesystem path. If you don't control callers, treat this as a risk — avoid passing untrusted paths or require the skill to be run in a sandbox. - Verify Feishu credentials handling: The module doesn't perform API calls itself and expects platform helpers (feishu_chat, message). Confirm how your platform provides Feishu tokens/permissions and that they will not be exposed beyond intended scope. - Sandbox and review: Because the module writes files, run it in a restricted environment (or review and pin its source) before granting it access to production agent workspaces. - If you accept usage: call setGroupsFilePath explicitly to the workspace path you trust, run initGroupsFile once to create the file, and review file permissions to limit exposure. If you want, I can suggest minimal code edits to make the file path behavior safer (e.g., default to a known workspace path, disallow absolute paths in setGroupsFilePath, or require an explicit 'use_workspace' flag).

Like a lobster shell, security has layers — review code before you run it.

latestvk97c7j72r6k5dyzwk2481f6han83233f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

feishu-group-helper

飞书群管理 skill。用于维护群信息、处理群事件、发送群消息。

触发条件

  • 用户提到"飞书群管理"、"群信息"、"加入群"、"移出群"
  • 用户要求"发消息到群里"或"发送群消息"
  • 飞书事件:bot 被加入群、bot 被移出群(需升级)

核心功能

1. 群信息维护

群信息文件:各 agent 的 workspace 下 ~/openclaw/workspace/feishu-groups.json

注意: 每个 agent 的群信息独立维护,存储在该 agent 的 workspace 目录下。

记录格式:

{
  "groups": {
    "oc_xxx": {
      "chat_id": "oc_xxx",
      "name": "群名称",
      "member_count": 5,
      "added_at": "2026-01-01T00:00:00Z",
      "removed_at": null,
      "status": "active"
    }
  }
}

2. 记录新群

当 bot 被加入群或被要求记住群时:

  1. 调用 feishu_chat 获取群信息
  2. 调用 addGroup(chatId, name, memberCount) 添加到当前 agent 的群信息文件

3. 更新群信息

当 bot 被移出群或被要求注销群时:

  1. 调用 removeGroup(chatId) 标记为已移除

4. 发送群消息

用户指定群名:

  1. findGroupByName(name) 查找群
  2. isInGroup(chatId) 确认在群里
  3. message 发送消息到 chat:xxx

用户未指定群:

  1. getActiveGroups() 获取活跃群列表
  2. 列出群名让用户确认

5. 查看群信息

查看所有群:

  1. listAllGroups() 获取所有群信息(含状态)
  2. getActiveGroups() 获取仅活跃群

查看 bot 在哪些群:

  1. 调用飞书 API 获取 bot 所在的所有群
  2. 与记录中的群对比

事件监听(需升级)

需要的飞书权限

需要在飞书开放平台添加以下权限:

  • im:chat.memberbot.created - 机器人被添加到群
  • im:chat.memberbot.deleted - 机器人被移出群
  • im:chat.members:bot_access - 已有的

事件类型

事件说明处理
im.chat.member_bot.createdbot 被添加到群自动调用 addGroup()
im.chat.member_bot.deletedbot 被移出群自动调用 removeGroup()

升级步骤

  1. 在飞书开放平台配置事件订阅
  2. 设置回调 URL(需要公网域名)
  3. 在 OpenClaw 中添加事件处理能力
  4. 更新本 skill 支持自动处理

飞书权限说明

当前已拥有权限

权限名称说明用途
im:chat群聊管理获取群信息
im:chat.members:bot_access群成员列表查看群成员
im:message:send_as_bot发消息发送群消息
im:message.group_msg接收群消息接收群消息

当前缺少权限(事件监听用)

权限名称说明如何获取
im:chat.memberbot.created监听入群事件在飞书开放平台申请
im:chat.memberbot.deleted监听退群事件在飞书开放平台申请

权限检查

在 OpenClaw 中检查权限:

feishu_app_scopes()

权限申请引导

如需开启事件监听功能,请按以下步骤操作:

  1. 登录飞书开放平台 https://open.feishu.cn/
  2. 进入应用 → 选择你的应用
  3. 添加权限 → 搜索并添加:
    • im:chat.memberbot.created
    • im:chat.memberbot.deleted
  4. 发布新版本 → 提交审批
  5. 配置事件订阅 → 设置回调 URL(需公网域名)

事件订阅配置(进阶)

配置回调 URL 后,飞书会 POST 事件到你的服务器:

// 机器人被添加入群事件
{
  "schema": "2.0",
  "header": {
    "event_type": "im.chat.member_bot.created"
  },
  "event": {
    "chat_id": "oc_xxx",
    "operator_id": "ou_xxx"
  }
}

// 机器人被移出群事件
{
  "schema": "2.0",
  "header": {
    "event_type": "im.chat.member_bot.deleted"
  },
  "event": {
    "chat_id": "oc_xxx",
    "operator_id": "ou_xxx"
  }
}

收到事件后调用:

  • 入群:addGroup(chatId, name, memberCount)
  • 退群:removeGroup(chatId)

工具使用

// 添加群
const { addGroup } = require('./scripts/groupManager.js');
addGroup('oc_xxx', '群名', 5);

// 移除群
const { removeGroup } = require('./scripts/groupManager.js');
removeGroup('oc_xxx');

// 查找群
const { findGroupByName } = require('./scripts/groupManager.js');
findGroupByName('GoGoGo');

// 获取活跃群
const { getActiveGroups } = require('./scripts/groupManager.js');
getActiveGroups();

// 检查是否在群
const { isInGroup } = require('./scripts/groupManager.js');
isInGroup('oc_xxx');

// 查看所有群(含状态)
const { listAllGroups } = require('./scripts/groupManager.js');
listAllGroups();

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…