ClawHub

dingtalk-feishu-cn

钉钉/飞书集成 - 企业通讯、机器人、自动化工作流(Slack 中国版)

MIT-0 · Free to use, modify, and redistribute. No attribution required.
5 · 1.1k · 8 current installs · 9 all-time installs
byGuohongbin@guohongbin-git
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim DingTalk and Feishu integration, which matches the content of SKILL.md (webhooks, SDK examples). However the SKILL.md uses placeholders like APP_KEY, APP_SECRET, APP_ID and webhook tokens but the skill metadata declares no required environment variables or primary credential. The quick-start references local scripts (./scripts/dingtalk-notify.sh, ./scripts/feishu-notify.sh) that are not present in the package. The lack of declared secrets and missing scripts is an incoherence between purpose and actual package contents.
!
Instruction Scope
Runtime instructions tell the agent to send curl requests to webhook endpoints and to install/instantiate SDK clients using APP_KEY/APP_SECRET variables. They also show running local scripts that don't exist in the bundle. While the instructions do not explicitly exfiltrate data or call unexpected external endpoints, they implicitly require secret tokens and local scripts that are not provided — leaving ambiguity about where secrets should be stored and what the scripts would do if run.
Install Mechanism
There is no install spec and no code files besides SKILL.md and package.json, so nothing will be downloaded or executed by the platform installer. This is the lowest-risk install mechanism for a skill.
!
Credentials
The skill clearly needs service credentials (webhook tokens, APP_KEY/APP_SECRET, APP_ID) to function, but requires.env and primary credential are empty. That mismatch makes it unclear how the skill expects to receive secrets and increases risk that users might supply credentials in insecure ways. The package.json author is anonymous ('money-maker-ai') and there is no homepage or source URL to validate authorship.
Persistence & Privilege
The skill does not request always: true, does not declare config path access, and does not modify other skills. Autonomous invocation is allowed (the platform default) but there are no additional persistence or elevated privileges requested.
What to consider before installing
This skill's instructions show it needs webhook URLs and API keys (APP_KEY, APP_SECRET, APP_ID) and refer to local scripts, but the package metadata does not declare any required credentials and the referenced scripts are missing. Before installing: 1) Do not supply organization credentials or tokens until the author documents exactly which env vars are required and how they are used. 2) Ask the publisher for the missing ./scripts files or for concrete examples showing where secrets should be stored (and insist on secure storage). 3) Prefer skills with a homepage, source repository, or a known publisher; 'money-maker-ai' and no homepage is a weak provenance signal. 4) If you do test it, use throwaway test accounts/webhooks rather than production credentials. 5) If the agent will run autonomously with credentials, treat that as higher risk — only enable if you trust the author and have verified the code. These inconsistencies are explainable (incomplete packaging) but they warrant caution, so treat the skill as suspicious until the author addresses them.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975h8nawfj6wrsx8nq825ej5h81e3tw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis

SKILL.md

钉钉/飞书集成

企业通讯、机器人、自动化工作流。

功能

  • 💬 消息发送/接收
  • 🤖 机器人集成
  • 📅 日程管理
  • 📋 审批流程
  • 🔄 自动化工作流

平台对比

功能钉钉飞书/Lark
Webhook
API
机器人
文档✅✅
国际化

钉钉集成

Webhook 机器人

# 发送消息
curl -X POST "https://oapi.dingtalk.com/robot/send?access_token=YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "msgtype": "text",
    "text": {"content": "这是一条测试消息"}
  }'

API 调用

# 使用 dingtalk-sdk
pip install dingtalk-sdk

from dingtalk import SecretClient
client = SecretClient(APP_KEY, APP_SECRET)

飞书/Lark 集成

Webhook 机器人

# 发送消息
curl -X POST "https://open.feishu.cn/open-apis/bot/v2/hook/YOUR_HOOK" \
  -H "Content-Type: application/json" \
  -d '{
    "msg_type": "text",
    "content": {"text": "这是一条测试消息"}
  }'

API 调用

# 使用 lark-oapi
pip install lark-oapi

import lark_oapi as lark
client = lark.Client.builder() \
    .app_id(APP_ID) \
    .app_secret(APP_SECRET) \
    .build()

使用场景

1. 告警通知

  • 服务器告警
  • 业务异常
  • 定时报告

2. 自动化

  • CI/CD 通知
  • 任务完成提醒
  • 审批流程

3. 机器人

  • 问答机器人
  • 查询工具
  • 工作助手

快速开始

# 钉钉机器人
./scripts/dingtalk-notify.sh "告警: CPU 使用率 90%"

# 飞书机器人
./scripts/feishu-notify.sh "任务完成: 数据同步成功"

注意事项

  1. 安全: Webhook 地址不要泄露
  2. 频率: 避免消息轰炸
  3. 格式: 使用 Markdown/card 提升体验

版本: 1.0.0

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…