← 返回 Skills 市场
autogame-17

Feishu Card

作者 autogame-17 · GitHub ↗ · v1.4.11
cross-platform ⚠ suspicious
3978
总下载
3
收藏
61
当前安装
2
版本数
在 OpenClaw 中安装
/install feishu-card
功能描述
Send rich interactive Feishu cards with markdown, headers, buttons, images, and styled persona messages to users or groups.
安全使用建议
Install only after hardening or running it in an isolated environment. Replace execSync command strings with spawn/execFile argument arrays or direct function calls, validate target/title/color/event fields, remove or clearly disclose smart path inference for --text, and reapply secret scanning before every outbound fallback. Use a least-privilege Feishu app token and avoid sending secrets, logs, code, or regulated data through this skill unless you intend that content to reach Feishu/Lark.
功能分析
Type: OpenClaw Skill Name: feishu-card Version: 1.4.11 The skill is classified as suspicious due to critical shell injection vulnerabilities in `handle_event.js` and `send_safe.js`. In `handle_event.js`, the `eventPayload.event.event_key` (untrusted input) is directly embedded into an `execSync` command, allowing arbitrary command execution. Similarly, `send_safe.js`, despite its name, directly interpolates `options.title` (user input) into an `execSync` command, bypassing any intended sanitization for other arguments. Additionally, `send.js` contains a 'Smart Input' feature that could lead to local file disclosure if an attacker can control the `--text` argument to point to sensitive files. While the `send.js` file includes a `scanForSecrets` function, which is a positive security feature, it does not mitigate these RCE or file disclosure risks.
能力评估
Purpose & Capability
Sending Feishu/Lark cards, text, images, buttons, and persona-styled messages is coherent with the stated purpose. However, send_safe.js and handle_event.js build shell command strings from user-controlled or event-controlled values and pass them to execSync, which is not necessary for the messaging capability and can allow host command execution.
Instruction Scope
The README describes send_safe.js as a safe wrapper for raw text, but the wrapper still interpolates target, color, and title into a shell command. The README documents --text-file for file sending, but send.js also silently treats some --text values as local file paths, which is broader than the option description suggests.
Install Mechanism
The package uses ordinary local JavaScript files and npm dependencies on commander and dotenv, with no postinstall/preinstall script, hidden downloader, or obfuscated installer found. The package metadata has version inconsistency and depends on a sibling feishu-common module, but that is packaging risk rather than evidence of malicious install behavior.
Credentials
The skill reasonably needs Feishu credentials and network access to Feishu APIs, but it loads ../../.env, reads user-specified text and image files, can infer a file path from --text, and sends content to Feishu. Those powers are expected only with clear user control and are weakened by the command-injection paths and fallback leak behavior.
Persistence & Privilege
The skill writes temporary message files under ../../temp and caches Feishu image keys under ../../memory/feishu_image_keys.json. This persistence is related to its purpose and no background worker or privilege escalation was found, but the cache location is outside the skill directory and is not clearly disclosed in the README.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install feishu-card
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /feishu-card 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.4.11
- No code or documentation changes detected in this version. - Functionality, usage, and documentation remain unchanged from the previous release.
v1.4.10
Re-publish after account restoration
元数据
Slug feishu-card
版本 1.4.11
许可证
累计安装 61
当前安装数 61
历史版本数 2
常见问题

Feishu Card 是什么?

Send rich interactive Feishu cards with markdown, headers, buttons, images, and styled persona messages to users or groups. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 3978 次。

如何安装 Feishu Card?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install feishu-card」即可一键安装,无需额外配置。

Feishu Card 是免费的吗?

是的,Feishu Card 完全免费(开源免费),可自由下载、安装和使用。

Feishu Card 支持哪些平台?

Feishu Card 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Feishu Card?

由 autogame-17(@autogame-17)开发并维护,当前版本 v1.4.11。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论