ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小爱舆情结果飞书推送

v1.1.0

从飞书多维表按规则筛选记录,格式化内容并自动推送到指定飞书群机器人Webhook,更新推送状态字段。

0· 219·0 current·0 all-time
by@frankieway

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for frankieway/yuqing-push-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "小爱舆情结果飞书推送" (frankieway/yuqing-push-skill) from ClawHub.
Skill page: https://clawhub.ai/frankieway/yuqing-push-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install yuqing-push-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install yuqing-push-skill
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the code talks to open.feishu.cn (tenant token, bitable records, record update) and posts to a provided Feishu webhook. Required inputs (bitable_url, app_id/app_secret, webhook_url, rule_expression, message_template) are appropriate and necessary for the stated functionality.
Instruction Scope
Runtime instructions and code stay within the stated scope (fetch records, evaluate rule, render message, post webhook, mark records). One notable implementation detail: eval(rule_expression, ...) is used to evaluate a user-supplied Python expression with __builtins__ removed and only fields in locals—this is appropriate for user-provided filter expressions but still a surface for misuse if untrusted expressions or unexpected object types are supplied. The skill reads only inputs and interacts with Feishu endpoints; it does not reference unrelated system files or external hosts.
Install Mechanism
No install spec; code is instruction-only with included Python files. requirements.txt lists requests/urllib3 which matches code usage. Nothing is downloaded from arbitrary URLs and no archive extraction is present.
Credentials
Requested secrets (app_id, app_secret, webhook_url) are directly relevant to Feishu API usage. The skill does not request unrelated credentials or config paths. The code accepts inputs via environment variables or INPUT_* names (consistent with typical runner behavior).
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It modifies only records in the specified bitable table (marks '是否推送' field) which matches its purpose.
Assessment
This skill appears to do exactly what it says: read a Feishu bitable view, filter records by a user-provided Python expression, post formatted messages to a Feishu group webhook, and mark records to avoid duplicate pushes. Before installing: (1) review and test with a small limit (e.g., limit=5) and a non-production Feishu app/space to confirm behaviour; (2) ensure the app_id/app_secret and webhook_url are for a dedicated service account you control; (3) be cautious with rule_expression you paste in — although the code restricts builtins, treat expressions as coming from trusted users; (4) review message_template and field contents to avoid inadvertently including malicious links or sensitive data in group messages; and (5) inspect the full push_skill.py (and scripts/push.py) if you need to be certain no additional network endpoints or logging of secrets are present.
push_skill.py:103
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fdvvr5k5km4gtnnjhrzk2r983hyny
219downloads
0stars
5versions
Updated 22h ago
v1.1.0
MIT-0
@frankieway
latest
Download

name: bitable_to_feishu_webhook version: "1.1.0" description: > 从飞书多维表中按用户规则筛选记录,自动将格式化后的内容推送到指定的群机器人 Webhook(飞书群消息)。 内部使用字段「是否推送」作为推送状态:

  • 空:尚未判断
  • 不推送:已判断,不符合推送条件
  • 待推送:本次命中推送条件,准备推送
  • 已推送:已成功推送 本 Skill 仅扫描「是否推送」为空的记录。

entrypoint: command: "python" args: - "push_skill.py"

inputs:

  • name: bitable_url type: string required: true description: 目标飞书多维表视图链接(包含 base/app_token 和 table 参数)

  • name: app_id type: string required: true description: 飞书开放平台应用 APP_ID(用于获取 tenant_access_token)

  • name: app_secret type: string required: true description: 飞书开放平台应用 APP_SECRET

  • name: webhook_url type: string required: true description: 飞书群机器人的 Webhook 地址(例如 https://open.feishu.cn/open-apis/bot/v2/hook/xxx)

  • name: rule_expression type: string required: true description: | 触发条件表达式(Python 表达式),返回 True/False。 使用 fields['字段名'] 访问多维表字段,例如: "('负向' in fields.get('评价情感(机器)','')) and ('小米' in fields.get('正文',''))"

  • name: message_template type: string required: true description: | 推送内容模版,使用 {字段名} 占位,如: "【负向舆情预警]\n标题:{标题}\n情感:{评价情感(机器)}\n正文:{正文}\n链接:{原文 URL}"

  • name: limit type: integer required: false default: 50 description: 本次最多检查并推送的记录条数(按多维表视图排序)

outputs:

  • name: pushed_count type: integer description: 本次实际推送的消息条数

permissions: network: - "https://open.feishu.cn"

Comments

Loading comments...