ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

飞书@机器人

v1.0.0

飞书群聊中 @机器人并发送消息。当用户需要在飞书群里艾特机器人、通知其他机器人、或让机器人之间互相通信时使用。

0· 488·2 current·2 all-time
by@pcjinglang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for pcjinglang/feishu-mention-bot.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "飞书@机器人" (pcjinglang/feishu-mention-bot) from ClawHub.
Skill page: https://clawhub.ai/pcjinglang/feishu-mention-bot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install pcjinglang/feishu-mention-bot

ClawHub CLI

Package manager switcher

npx clawhub@latest install feishu-mention-bot
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (mentioning bots in Feishu group chat) align with the SKILL.md content: it explains message formats (<at> tags), how to call the Feishu API, and how to extract bots' open_id from mentions.
!
Instruction Scope
The instructions include concrete API calls that require Feishu app_id/app_secret and a tenant_access_token, and they show saving open_id to TOOLS.md or a database. However the skill metadata declares no required credentials or config paths. The SKILL.md also refers to a 'message' tool command (message action=send) without declaring or describing that tool. The instructions therefore assume access to secrets and to writable local tooling/config that were not declared.
Install Mechanism
No install spec and no code files (instruction-only). This is low risk from an install perspective — nothing is downloaded or written by an install step.
!
Credentials
Although the metadata declares no required environment variables or primary credential, the runtime examples require app_id and app_secret (sensitive credentials) to obtain a tenant_access_token. The skill should have declared that it needs these credentials; absence is a proportionality/visibility mismatch.
Persistence & Privilege
always:false and normal autonomous invocation are used (expected). The guidance to 'cache robot open_id' in TOOLS.md or DB implies persistent storage of identifiers (and possibly tokens if misused) in the agent workspace — this is behavior to be cautious about but not inherently privileged.
What to consider before installing
This skill appears to be what it says (how to @-mention bots in Feishu), but its runtime examples require Feishu app_id/app_secret and instruct caching open_id to TOOLS.md — yet those credentials and paths are not declared in the metadata. Before installing or running: 1) Confirm how and where you will provide app_id/app_secret (do not paste secrets into public files); 2) Prefer a least-privileged Feishu app and short-lived tokens; 3) If the skill will write TOOLS.md or other files, ensure those files are stored securely (use a secrets manager or protected database, not plaintext in workspace); 4) Ask the skill author what the 'message' tool is and whether it has access to other credentials/files; 5) If you are uncomfortable with undeclared secret usage or local writes, do not enable the skill until the author documents required env vars/paths and their intended use.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ygqnv7w89jjk2bp0xm54q1821j1p
488downloads
0stars
1versions
Updated 14h ago
v1.0.0
MIT-0
@pcjinglang
latest
Download

飞书 @机器人 技能

在飞书群聊中 @其他机器人并发送消息,让被艾特的机器人收到通知并响应。

前提条件

确保飞书应用有以下权限:

  • im:messageim:message:send_as_bot — 发送消息
  • im:message.group_at_msg:readonly — 接收 @消息

核心:@机器人格式

文本消息

<at user_id="open_id">名字</at> 你的消息内容

富文本消息(post)

在 markdown 内容中使用:

<at user_id="open_id">名字</at>

卡片消息(interactive)

在 lark_md 内容中使用:

<at id=open_id></at>

如何获取机器人的 open_id

方法:从消息历史提取

# 1. 获取 tenant_access_token
TOKEN=$(curl -s -X POST "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \
  -H "Content-Type: application/json" \
  -d '{"app_id":"YOUR_APP_ID","app_secret":"YOUR_APP_SECRET"}' | jq -r '.tenant_access_token')

# 2. 获取群消息历史,提取 mentions
curl -s "https://open.feishu.cn/open-apis/im/v1/messages?container_id_type=chat&container_id=CHAT_ID&page_size=50" \
  -H "Authorization: Bearer $TOKEN" | \
  jq '[.data.items[]? | select(.mentions != null and .mentions != []) | .mentions[]?] | unique_by(.id)'

关键点:

  • 飞书的群成员 API 不返回机器人信息
  • 必须从消息历史的 mentions 字段提取
  • 机器人在群里被艾特过的消息才会有 mentions

使用示例

使用 message 工具

message action=send channel=feishu target=chat:CHAT_ID message="<at user_id=\"ou_xxx\">机器人名</at> 你好!"

使用飞书 API 直接调用

curl -X POST "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "receive_id": "CHAT_ID",
    "msg_type": "text",
    "content": "{\"text\":\"<at user_id=\\\"ou_xxx\\\">机器人名</at> 你好!\"}"
  }'

注意事项

  1. 必须使用 open_id:不能用 app_id,必须是 ou_ 开头的 open_id
  2. 机器人必须在群里:被艾特的机器人必须是群成员
  3. 机器人需要订阅事件:被艾特的机器人需要订阅 im.message.group_at_msg 事件才能收到通知
  4. 缓存机器人 open_id:获取后建议保存到 TOOLS.md 或数据库,避免重复查询

当前群机器人列表

从 TOOLS.md 或消息历史中查找具体的 open_id

示例:

名称open_id
OpenClaw唐ou_xxx
Lynnou_xxx

Comments

Loading comments...