← Back to Skills Marketplace

飞书转发消息读取器

Name: 飞书转发消息读取器
Author: konce

by konce · GitHub ↗ · v1.1.0

cross-platform ⚠ suspicious

480

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install feishu-forward-reader

Description

读取和解析飞书合并转发消息(merge_forward)的详细内容。当收到飞书转发消息显示为"Merged and Forwarded Message"时使用此 skill 获取原始消息内容。

README (SKILL.md)

飞书转发消息读取器

读取飞书合并转发消息的详细内容。

问题背景

飞书的合并转发消息 (merge_forward) 在 OpenClaw 中默认只显示 "Merged and Forwarded Message"，无法看到实际转发的内容。此 skill 通过飞书 API 获取转发消息的完整子消息列表。

凭证配置

脚本会自动从以下位置获取飞书凭证（按优先级）：

命令行参数: --app-id / --app-secret
环境变量: FEISHU_APP_ID / FEISHU_APP_SECRET
OpenClaw 配置: ~/.openclaw/openclaw.json 中的 channels.feishu.appId/appSecret

如果已配置 OpenClaw 飞书插件，无需额外配置即可使用。

快速使用

方法 1：Python 脚本（推荐）

# 自动从 OpenClaw 配置读取凭证
python3 scripts/parse_forward.py \x3Cmessage_id>

# 或手动指定凭证
python3 scripts/parse_forward.py \x3Cmessage_id> --app-id \x3Cid> --app-secret \x3Csecret>

# JSON 格式输出
python3 scripts/parse_forward.py \x3Cmessage_id> --format json

# 不查询用户名（更快）
python3 scripts/parse_forward.py \x3Cmessage_id> --no-names

方法 2：Shell 脚本（原始 JSON）

# 自动从配置读取凭证
./scripts/read_forward.sh \x3Cmessage_id>

# 或手动指定
./scripts/read_forward.sh \x3Cmessage_id> \x3Capp_id> \x3Capp_secret>

方法 3：直接调用 API

# 获取 token
TOKEN=$(curl -s -X POST 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal' \
  -H 'Content-Type: application/json' \
  -d '{"app_id":"YOUR_APP_ID","app_secret":"YOUR_APP_SECRET"}' | jq -r '.tenant_access_token')

# 获取消息详情
curl -s "https://open.feishu.cn/open-apis/im/v1/messages/\x3Cmessage_id>" \
  -H "Authorization: Bearer $TOKEN" | jq .

API 响应结构

{
  "code": 0,
  "data": {
    "items": [
      {
        "message_id": "om_xxx",
        "msg_type": "merge_forward",
        "body": {"content": "Merged and Forwarded Message"}
      },
      {
        "message_id": "om_yyy",
        "msg_type": "text",
        "body": {"content": "{\"text\":\"实际消息内容\"}"},
        "upper_message_id": "om_xxx",
        "sender": {"id": "ou_xxx", "sender_type": "user"},
        "create_time": "1234567890000"
      }
    ]
  }
}

第一条是转发消息本身 (msg_type: merge_forward)
后续是被转发的原始消息，带有 upper_message_id 指向父消息

支持的消息类型

类型	说明	解析方式
`text`	文本消息	`body.content` → JSON → `text`
`post`	富文本消息	`body.content` → JSON → `title` + `content`
`interactive`	卡片消息	`body.content` → JSON → `title` + `elements`
`image`	图片	显示 `[图片]`
`file`	文件	显示 `[文件]`
`audio`	语音	显示 `[语音]`
`video`	视频	显示 `[视频]`

权限要求

飞书应用需要以下权限：

im:message:readonly - 获取群组中所有消息（敏感权限）
contact:contact.base:readonly - 获取用户基本信息（可选，用于显示用户名）

示例输出

📨 合并转发消息 (3 条)
来源群: oc_xxxxxxxxxxxxxxxxxxxx
----------------------------------------
[02-25 14:02] 张三
  大家好，这是一条测试消息

[02-25 14:03] ou_yyyyyyyyyyy...
  收到，我看看

[02-25 14:05] 李四
  已处理完成

注：可见范围内的用户显示真实姓名，范围外的显示 ID 前缀。

Usage Guidance

This skill appears to do what it says: fetch and format Feishu merged/forwarded messages. Before installing, verify the following: 1) The publisher's metadata is inconsistent — the scripts require FEISHU_APP_ID and FEISHU_APP_SECRET (or an OpenClaw config) even though the registry lists no env vars; confirm you are comfortable providing those credentials. 2) Prefer creating a dedicated Feishu app with minimal scopes (im:message:readonly and optionally contact:contact.base:readonly) rather than using high-privilege credentials. 3) The scripts will read ~/.openclaw/openclaw.json if present — check that file's contents and ensure you trust the skill to access it. 4) The code only contacts open.feishu.cn endpoints; if you see other outbound destinations in a future version, treat that as a serious red flag. If you need higher assurance, ask the publisher to update the registry metadata to declare the required env vars and to provide provenance (homepage or source repo) so you can audit the code yourself.

Capability Analysis

Type: OpenClaw Skill Name: feishu-forward-reader Version: 1.1.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `scripts/read_forward.sh`. The `APP_ID` and `APP_SECRET` variables are directly interpolated into a `curl -d` JSON payload without proper escaping, allowing for arbitrary command execution if these inputs contain malicious shell metacharacters. While the overall purpose of the skill appears benign and the Python script (`scripts/parse_forward.py`) is robust, this vulnerability poses a significant risk.

Capability Assessment

✓ Purpose & Capability

Name, description, SKILL.md, and included scripts consistently implement a Feishu 'merge_forward' message reader that calls Feishu APIs to fetch and parse sub-messages. The required operations (requesting tenant token, calling im/v1/messages, optional contact user lookup) align with the described purpose.

ℹ Instruction Scope

Runtime instructions and scripts only call Feishu endpoints and optionally read ~/.openclaw/openclaw.json for credentials. This is within scope, but note the script will (optionally) call the contact API to resolve user names and will read the user's OpenClaw config file if present.

✓ Install Mechanism

No install spec or external downloads; the skill is instruction-only plus two small scripts bundled in the skill. Nothing is written to disk by an installer beyond the included files.

⚠ Credentials

Registry metadata lists no required environment variables, yet both SKILL.md and the scripts accept/require FEISHU_APP_ID and FEISHU_APP_SECRET (or reading these from ~/.openclaw/openclaw.json). That's an inconsistency the publisher should clarify. The requested credentials are proportional to the task, but the mismatch in declared requirements is a red flag. Also the scripts will use the token to call contact API (contact:contact.base:readonly) if username resolution is enabled.

✓ Persistence & Privilege

The skill does not request permanent presence (always:false) and does not modify other skills or system settings. It only reads a user config file (~/.openclaw/openclaw.json) when present and uses network calls to Feishu endpoints.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install feishu-forward-reader
After installation, invoke the skill by name or use /feishu-forward-reader
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.1.0

集成 OpenClaw 配置：自动从环境变量或 ~/.openclaw/openclaw.json 读取飞书凭证，无需硬编码

v1.0.1

脱敏处理：移除示例中的真实 ID，移除脚本中的默认凭证

v1.0.0

Initial release: 读取和解析飞书合并转发消息，支持用户名查询

Metadata

Slug feishu-forward-reader

Version 1.1.0

License —

All-time Installs 0

Active Installs 0

Total Versions 3

Frequently Asked Questions

What is 飞书转发消息读取器?

读取和解析飞书合并转发消息(merge_forward)的详细内容。当收到飞书转发消息显示为"Merged and Forwarded Message"时使用此 skill 获取原始消息内容。 It is an AI Agent Skill for Claude Code / OpenClaw, with 480 downloads so far.

How do I install 飞书转发消息读取器?

Run "/install feishu-forward-reader" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 飞书转发消息读取器 free?

Yes, 飞书转发消息读取器 is completely free (open-source). You can download, install and use it at no cost.

Which platforms does 飞书转发消息读取器 support?

飞书转发消息读取器 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 飞书转发消息读取器?

It is built and maintained by konce (@konce); the current version is v1.1.0.

More Skills

飞书转发消息读取器

飞书转发消息读取器

问题背景

凭证配置

快速使用

方法 1：Python 脚本（推荐）

方法 2：Shell 脚本（原始 JSON）

方法 3：直接调用 API

API 响应结构

支持的消息类型

权限要求

示例输出

What is 飞书转发消息读取器?

How do I install 飞书转发消息读取器?

Is 飞书转发消息读取器 free?

Which platforms does 飞书转发消息读取器 support?

Who created 飞书转发消息读取器?

💬 Comments