ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

飞书转发消息读取器

v1.1.0

读取和解析飞书合并转发消息(merge_forward)的详细内容。当收到飞书转发消息显示为"Merged and Forwarded Message"时使用此 skill 获取原始消息内容。

0· 459·0 current·0 all-time
by@konce

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for konce/feishu-forward-reader.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "飞书转发消息读取器" (konce/feishu-forward-reader) from ClawHub.
Skill page: https://clawhub.ai/konce/feishu-forward-reader
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install konce/feishu-forward-reader

ClawHub CLI

Package manager switcher

npx clawhub@latest install feishu-forward-reader
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and included scripts consistently implement a Feishu 'merge_forward' message reader that calls Feishu APIs to fetch and parse sub-messages. The required operations (requesting tenant token, calling im/v1/messages, optional contact user lookup) align with the described purpose.
Instruction Scope
Runtime instructions and scripts only call Feishu endpoints and optionally read ~/.openclaw/openclaw.json for credentials. This is within scope, but note the script will (optionally) call the contact API to resolve user names and will read the user's OpenClaw config file if present.
Install Mechanism
No install spec or external downloads; the skill is instruction-only plus two small scripts bundled in the skill. Nothing is written to disk by an installer beyond the included files.
!
Credentials
Registry metadata lists no required environment variables, yet both SKILL.md and the scripts accept/require FEISHU_APP_ID and FEISHU_APP_SECRET (or reading these from ~/.openclaw/openclaw.json). That's an inconsistency the publisher should clarify. The requested credentials are proportional to the task, but the mismatch in declared requirements is a red flag. Also the scripts will use the token to call contact API (contact:contact.base:readonly) if username resolution is enabled.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system settings. It only reads a user config file (~/.openclaw/openclaw.json) when present and uses network calls to Feishu endpoints.
What to consider before installing
This skill appears to do what it says: fetch and format Feishu merged/forwarded messages. Before installing, verify the following: 1) The publisher's metadata is inconsistent — the scripts require FEISHU_APP_ID and FEISHU_APP_SECRET (or an OpenClaw config) even though the registry lists no env vars; confirm you are comfortable providing those credentials. 2) Prefer creating a dedicated Feishu app with minimal scopes (im:message:readonly and optionally contact:contact.base:readonly) rather than using high-privilege credentials. 3) The scripts will read ~/.openclaw/openclaw.json if present — check that file's contents and ensure you trust the skill to access it. 4) The code only contacts open.feishu.cn endpoints; if you see other outbound destinations in a future version, treat that as a serious red flag. If you need higher assurance, ask the publisher to update the registry metadata to declare the required env vars and to provide provenance (homepage or source repo) so you can audit the code yourself.

Like a lobster shell, security has layers — review code before you run it.

latestvk973mse4jyvqtgm02j4jyeezgx81vc2v
459downloads
0stars
3versions
Updated 14h ago
v1.1.0
MIT-0
@konce
latest
Download

飞书转发消息读取器

读取飞书合并转发消息的详细内容。

问题背景

飞书的合并转发消息 (merge_forward) 在 OpenClaw 中默认只显示 "Merged and Forwarded Message",无法看到实际转发的内容。此 skill 通过飞书 API 获取转发消息的完整子消息列表。

凭证配置

脚本会自动从以下位置获取飞书凭证(按优先级):

  1. 命令行参数: --app-id / --app-secret
  2. 环境变量: FEISHU_APP_ID / FEISHU_APP_SECRET
  3. OpenClaw 配置: ~/.openclaw/openclaw.json 中的 channels.feishu.appId/appSecret

如果已配置 OpenClaw 飞书插件,无需额外配置即可使用。

快速使用

方法 1:Python 脚本(推荐)

# 自动从 OpenClaw 配置读取凭证
python3 scripts/parse_forward.py <message_id>

# 或手动指定凭证
python3 scripts/parse_forward.py <message_id> --app-id <id> --app-secret <secret>

# JSON 格式输出
python3 scripts/parse_forward.py <message_id> --format json

# 不查询用户名(更快)
python3 scripts/parse_forward.py <message_id> --no-names

方法 2:Shell 脚本(原始 JSON)

# 自动从配置读取凭证
./scripts/read_forward.sh <message_id>

# 或手动指定
./scripts/read_forward.sh <message_id> <app_id> <app_secret>

方法 3:直接调用 API

# 获取 token
TOKEN=$(curl -s -X POST 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal' \
  -H 'Content-Type: application/json' \
  -d '{"app_id":"YOUR_APP_ID","app_secret":"YOUR_APP_SECRET"}' | jq -r '.tenant_access_token')

# 获取消息详情
curl -s "https://open.feishu.cn/open-apis/im/v1/messages/<message_id>" \
  -H "Authorization: Bearer $TOKEN" | jq .

API 响应结构

{
  "code": 0,
  "data": {
    "items": [
      {
        "message_id": "om_xxx",
        "msg_type": "merge_forward",
        "body": {"content": "Merged and Forwarded Message"}
      },
      {
        "message_id": "om_yyy",
        "msg_type": "text",
        "body": {"content": "{\"text\":\"实际消息内容\"}"},
        "upper_message_id": "om_xxx",
        "sender": {"id": "ou_xxx", "sender_type": "user"},
        "create_time": "1234567890000"
      }
    ]
  }
}
  • 第一条是转发消息本身 (msg_type: merge_forward)
  • 后续是被转发的原始消息,带有 upper_message_id 指向父消息

支持的消息类型

类型说明解析方式
text文本消息body.content → JSON → text
post富文本消息body.content → JSON → title + content
interactive卡片消息body.content → JSON → title + elements
image图片显示 [图片]
file文件显示 [文件]
audio语音显示 [语音]
video视频显示 [视频]

权限要求

飞书应用需要以下权限:

  • im:message:readonly - 获取群组中所有消息(敏感权限)
  • contact:contact.base:readonly - 获取用户基本信息(可选,用于显示用户名)

示例输出

📨 合并转发消息 (3 条)
来源群: oc_xxxxxxxxxxxxxxxxxxxx
----------------------------------------
[02-25 14:02] 张三
  大家好,这是一条测试消息

[02-25 14:03] ou_yyyyyyyyyyy...
  收到,我看看

[02-25 14:05] 李四
  已处理完成

注:可见范围内的用户显示真实姓名,范围外的显示 ID 前缀。

Comments

Loading comments...