← 返回 Skills 市场
konce

飞书转发消息读取器

作者 konce · GitHub ↗ · v1.1.0
cross-platform ⚠ suspicious
480
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install feishu-forward-reader
功能描述
读取和解析飞书合并转发消息(merge_forward)的详细内容。当收到飞书转发消息显示为"Merged and Forwarded Message"时使用此 skill 获取原始消息内容。
使用说明 (SKILL.md)

飞书转发消息读取器

读取飞书合并转发消息的详细内容。

问题背景

飞书的合并转发消息 (merge_forward) 在 OpenClaw 中默认只显示 "Merged and Forwarded Message",无法看到实际转发的内容。此 skill 通过飞书 API 获取转发消息的完整子消息列表。

凭证配置

脚本会自动从以下位置获取飞书凭证(按优先级):

  1. 命令行参数: --app-id / --app-secret
  2. 环境变量: FEISHU_APP_ID / FEISHU_APP_SECRET
  3. OpenClaw 配置: ~/.openclaw/openclaw.json 中的 channels.feishu.appId/appSecret

如果已配置 OpenClaw 飞书插件,无需额外配置即可使用。

快速使用

方法 1:Python 脚本(推荐)

# 自动从 OpenClaw 配置读取凭证
python3 scripts/parse_forward.py \x3Cmessage_id>

# 或手动指定凭证
python3 scripts/parse_forward.py \x3Cmessage_id> --app-id \x3Cid> --app-secret \x3Csecret>

# JSON 格式输出
python3 scripts/parse_forward.py \x3Cmessage_id> --format json

# 不查询用户名(更快)
python3 scripts/parse_forward.py \x3Cmessage_id> --no-names

方法 2:Shell 脚本(原始 JSON)

# 自动从配置读取凭证
./scripts/read_forward.sh \x3Cmessage_id>

# 或手动指定
./scripts/read_forward.sh \x3Cmessage_id> \x3Capp_id> \x3Capp_secret>

方法 3:直接调用 API

# 获取 token
TOKEN=$(curl -s -X POST 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal' \
  -H 'Content-Type: application/json' \
  -d '{"app_id":"YOUR_APP_ID","app_secret":"YOUR_APP_SECRET"}' | jq -r '.tenant_access_token')

# 获取消息详情
curl -s "https://open.feishu.cn/open-apis/im/v1/messages/\x3Cmessage_id>" \
  -H "Authorization: Bearer $TOKEN" | jq .

API 响应结构

{
  "code": 0,
  "data": {
    "items": [
      {
        "message_id": "om_xxx",
        "msg_type": "merge_forward",
        "body": {"content": "Merged and Forwarded Message"}
      },
      {
        "message_id": "om_yyy",
        "msg_type": "text",
        "body": {"content": "{\"text\":\"实际消息内容\"}"},
        "upper_message_id": "om_xxx",
        "sender": {"id": "ou_xxx", "sender_type": "user"},
        "create_time": "1234567890000"
      }
    ]
  }
}
  • 第一条是转发消息本身 (msg_type: merge_forward)
  • 后续是被转发的原始消息,带有 upper_message_id 指向父消息

支持的消息类型

类型 说明 解析方式
text 文本消息 body.content → JSON → text
post 富文本消息 body.content → JSON → title + content
interactive 卡片消息 body.content → JSON → title + elements
image 图片 显示 [图片]
file 文件 显示 [文件]
audio 语音 显示 [语音]
video 视频 显示 [视频]

权限要求

飞书应用需要以下权限:

  • im:message:readonly - 获取群组中所有消息(敏感权限)
  • contact:contact.base:readonly - 获取用户基本信息(可选,用于显示用户名)

示例输出

📨 合并转发消息 (3 条)
来源群: oc_xxxxxxxxxxxxxxxxxxxx
----------------------------------------
[02-25 14:02] 张三
  大家好,这是一条测试消息

[02-25 14:03] ou_yyyyyyyyyyy...
  收到,我看看

[02-25 14:05] 李四
  已处理完成

注:可见范围内的用户显示真实姓名,范围外的显示 ID 前缀。

安全使用建议
This skill appears to do what it says: fetch and format Feishu merged/forwarded messages. Before installing, verify the following: 1) The publisher's metadata is inconsistent — the scripts require FEISHU_APP_ID and FEISHU_APP_SECRET (or an OpenClaw config) even though the registry lists no env vars; confirm you are comfortable providing those credentials. 2) Prefer creating a dedicated Feishu app with minimal scopes (im:message:readonly and optionally contact:contact.base:readonly) rather than using high-privilege credentials. 3) The scripts will read ~/.openclaw/openclaw.json if present — check that file's contents and ensure you trust the skill to access it. 4) The code only contacts open.feishu.cn endpoints; if you see other outbound destinations in a future version, treat that as a serious red flag. If you need higher assurance, ask the publisher to update the registry metadata to declare the required env vars and to provide provenance (homepage or source repo) so you can audit the code yourself.
功能分析
Type: OpenClaw Skill Name: feishu-forward-reader Version: 1.1.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `scripts/read_forward.sh`. The `APP_ID` and `APP_SECRET` variables are directly interpolated into a `curl -d` JSON payload without proper escaping, allowing for arbitrary command execution if these inputs contain malicious shell metacharacters. While the overall purpose of the skill appears benign and the Python script (`scripts/parse_forward.py`) is robust, this vulnerability poses a significant risk.
能力评估
Purpose & Capability
Name, description, SKILL.md, and included scripts consistently implement a Feishu 'merge_forward' message reader that calls Feishu APIs to fetch and parse sub-messages. The required operations (requesting tenant token, calling im/v1/messages, optional contact user lookup) align with the described purpose.
Instruction Scope
Runtime instructions and scripts only call Feishu endpoints and optionally read ~/.openclaw/openclaw.json for credentials. This is within scope, but note the script will (optionally) call the contact API to resolve user names and will read the user's OpenClaw config file if present.
Install Mechanism
No install spec or external downloads; the skill is instruction-only plus two small scripts bundled in the skill. Nothing is written to disk by an installer beyond the included files.
Credentials
Registry metadata lists no required environment variables, yet both SKILL.md and the scripts accept/require FEISHU_APP_ID and FEISHU_APP_SECRET (or reading these from ~/.openclaw/openclaw.json). That's an inconsistency the publisher should clarify. The requested credentials are proportional to the task, but the mismatch in declared requirements is a red flag. Also the scripts will use the token to call contact API (contact:contact.base:readonly) if username resolution is enabled.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system settings. It only reads a user config file (~/.openclaw/openclaw.json) when present and uses network calls to Feishu endpoints.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install feishu-forward-reader
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /feishu-forward-reader 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
集成 OpenClaw 配置:自动从环境变量或 ~/.openclaw/openclaw.json 读取飞书凭证,无需硬编码
v1.0.1
脱敏处理:移除示例中的真实 ID,移除脚本中的默认凭证
v1.0.0
Initial release: 读取和解析飞书合并转发消息,支持用户名查询
元数据
Slug feishu-forward-reader
版本 1.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 3
常见问题

飞书转发消息读取器 是什么?

读取和解析飞书合并转发消息(merge_forward)的详细内容。当收到飞书转发消息显示为"Merged and Forwarded Message"时使用此 skill 获取原始消息内容。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 480 次。

如何安装 飞书转发消息读取器?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install feishu-forward-reader」即可一键安装,无需额外配置。

飞书转发消息读取器 是免费的吗?

是的,飞书转发消息读取器 完全免费(开源免费),可自由下载、安装和使用。

飞书转发消息读取器 支持哪些平台?

飞书转发消息读取器 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 飞书转发消息读取器?

由 konce(@konce)开发并维护,当前版本 v1.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论