← Back to Skills Marketplace
450
Downloads
0
Stars
1
Active Installs
4
Versions
Install in OpenClaw
/install multi-inbox-merge
Description
多平台私信合并助手:将邮箱、WhatsApp、Telegram、钉钉、企微、飞书、短信等消息统一为会话线程,自动去重、紧急度评分并生成跟进队列。用户提到“合并私信/统一收件箱/客户消息汇总/待跟进清单/读取钉钉消息”时使用。
Usage Guidance
该技能看起来实现了它所宣称的功能;在决定安装/运行前请注意:1) 如果要使用“读取钉钉消息”功能,你需要设置 DINGTALK_CLIENT_ID、DINGTALK_CLIENT_SECRET 和 DINGTALK_MESSAGES_API_URL — 请确认这些环境变量仅在受信主机或容器中设置;2) 核验 DINGTALK_MESSAGES_API_URL 指向的是你企业的受控消息查询接口(不要将凭据提交到不熟悉的 URL);3) 因为注册元数据未列出钉钉凭据,建议在封闭测试环境中先运行脚本并审查输出,确认不会将数据发送到意外端点;4) 如需更高信心,可让熟悉钉钉/网络的同事审查 fetch_dingtalk_messages.py 中的请求目标与头部,或将脚本在网络受限的环境中运行。若你希望我把注册元数据与 SKILL.md 中的环境变量一一对照并生成修正建议文本,我可以帮你生成。
Capability Analysis
Type: OpenClaw Skill
Name: multi-inbox-merge
Version: 0.1.3
The skill is classified as suspicious due to a critical vulnerability in `scripts/fetch_dingtalk_messages.py`. This script fetches DingTalk messages using credentials (`DINGTALK_CLIENT_ID`, `DINGTALK_CLIENT_SECRET`, `access_token`) which are sent to a user-configurable `DINGTALK_MESSAGES_API_URL`. While the stated purpose is legitimate, the lack of validation or allowlisting for this URL means that if an attacker can control the `DINGTALK_MESSAGES_API_URL` environment variable, they could redirect sensitive DingTalk credentials and access tokens to an arbitrary malicious server, leading to data exfiltration. The `SKILL.md` instructions for the agent to check for this variable do not mitigate this content-based vulnerability.
Capability Assessment
Purpose & Capability
技能名与说明匹配其包含的脚本:合并多平台消息并支持从钉钉拉取消息。唯一不一致是注册元数据中未列出任何必需环境变量,而 SKILL.md 与 fetch_dingtalk_messages.py 明确需要 DINGTALK_CLIENT_ID、DINGTALK_CLIENT_SECRET 和 DINGTALK_MESSAGES_API_URL。当不使用钉钉功能时无此依赖,整体合理但元数据不完整。
Instruction Scope
SKILL.md 指示仅处理导出文件(CSV/JSON)和可选的钉钉 API 拉取。脚本只读取命令行参数 / 指定的环境变量并向钉钉 token 与消息 API 发起 HTTP POST,未指示读取系统其他敏感文件或发送数据到非用户指定的外部端点。说明中也包含不要泄露密钥的安全建议。
Install Mechanism
无安装步骤(instruction-only + 附带 Python 脚本),不会在安装时下载或执行第三方二进制,风险较低。
Credentials
仅在需要拉取钉钉消息时才要求钉钉凭据,凭据种类与用途相符。但注册元数据未声明这些必需的环境变量,造成透明度问题;此外需要用户确认 DINGTALK_MESSAGES_API_URL 指向的确实是企业内部/受信任的消息查询接口而非任意第三方。
Persistence & Privilege
技能没有要求常驻(always)或修改其他技能/系统配置的能力,默认的自治调用权限为平台常态;脚本仅在用户主动运行时联网调用 API。
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install multi-inbox-merge - After installation, invoke the skill by name or use
/multi-inbox-merge - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.3
新增钉钉前置凭据检查与引导配置流程
v0.1.2
新增钉钉 API 拉取脚本与对接文档,支持先拉取再合并
v0.1.1
中文化 SKILL.md、schema 与脚本输出,便于中文用户直接使用
v0.1.0
Initial MVP: merge cross-platform inbox exports, dedupe, score urgency, and generate follow-up queue
Metadata
Frequently Asked Questions
What is 多平台私信合并助手?
多平台私信合并助手:将邮箱、WhatsApp、Telegram、钉钉、企微、飞书、短信等消息统一为会话线程,自动去重、紧急度评分并生成跟进队列。用户提到“合并私信/统一收件箱/客户消息汇总/待跟进清单/读取钉钉消息”时使用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 450 downloads so far.
How do I install 多平台私信合并助手?
Run "/install multi-inbox-merge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 多平台私信合并助手 free?
Yes, 多平台私信合并助手 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does 多平台私信合并助手 support?
多平台私信合并助手 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 多平台私信合并助手?
It is built and maintained by Lucas (@yikailucas); the current version is v0.1.3.
More Skills