← 返回 Skills 市场

飞书@机器人

Name: 飞书@机器人
Author: pcjinglang

作者 pcjinglang · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

505

总下载

当前安装

版本数

在 OpenClaw 中安装

/install feishu-mention-bot

功能描述

飞书群聊中 @机器人并发送消息。当用户需要在飞书群里艾特机器人、通知其他机器人、或让机器人之间互相通信时使用。

使用说明 (SKILL.md)

飞书 @机器人技能

在飞书群聊中 @其他机器人并发送消息，让被艾特的机器人收到通知并响应。

前提条件

确保飞书应用有以下权限：

im:message 或 im:message:send_as_bot — 发送消息
im:message.group_at_msg:readonly — 接收 @消息

核心：@机器人格式

文本消息

\x3Cat user_id="open_id">名字\x3C/at> 你的消息内容

富文本消息（post）

在 markdown 内容中使用：

\x3Cat user_id="open_id">名字\x3C/at>

卡片消息（interactive）

在 lark_md 内容中使用：

\x3Cat id=open_id>\x3C/at>

如何获取机器人的 open_id

方法：从消息历史提取

# 1. 获取 tenant_access_token
TOKEN=$(curl -s -X POST "https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal" \
  -H "Content-Type: application/json" \
  -d '{"app_id":"YOUR_APP_ID","app_secret":"YOUR_APP_SECRET"}' | jq -r '.tenant_access_token')

# 2. 获取群消息历史，提取 mentions
curl -s "https://open.feishu.cn/open-apis/im/v1/messages?container_id_type=chat&container_id=CHAT_ID&page_size=50" \
  -H "Authorization: Bearer $TOKEN" | \
  jq '[.data.items[]? | select(.mentions != null and .mentions != []) | .mentions[]?] | unique_by(.id)'

关键点：

飞书的群成员 API 不返回机器人信息
必须从消息历史的 mentions 字段提取
机器人在群里被艾特过的消息才会有 mentions

使用示例

使用 message 工具

message action=send channel=feishu target=chat:CHAT_ID message="\x3Cat user_id=\"ou_xxx\">机器人名\x3C/at> 你好！"

使用飞书 API 直接调用

curl -X POST "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "receive_id": "CHAT_ID",
    "msg_type": "text",
    "content": "{\"text\":\"\x3Cat user_id=\\\"ou_xxx\\\">机器人名\x3C/at> 你好！\"}"
  }'

注意事项

必须使用 open_id：不能用 app_id，必须是 ou_ 开头的 open_id
机器人必须在群里：被艾特的机器人必须是群成员
机器人需要订阅事件：被艾特的机器人需要订阅 im.message.group_at_msg 事件才能收到通知
缓存机器人 open_id：获取后建议保存到 TOOLS.md 或数据库，避免重复查询

当前群机器人列表

从 TOOLS.md 或消息历史中查找具体的 open_id

示例：

名称	open_id
OpenClaw唐	ou_xxx
Lynn	ou_xxx

安全使用建议

This skill appears to be what it says (how to @-mention bots in Feishu), but its runtime examples require Feishu app_id/app_secret and instruct caching open_id to TOOLS.md — yet those credentials and paths are not declared in the metadata. Before installing or running: 1) Confirm how and where you will provide app_id/app_secret (do not paste secrets into public files); 2) Prefer a least-privileged Feishu app and short-lived tokens; 3) If the skill will write TOOLS.md or other files, ensure those files are stored securely (use a secrets manager or protected database, not plaintext in workspace); 4) Ask the skill author what the 'message' tool is and whether it has access to other credentials/files; 5) If you are uncomfortable with undeclared secret usage or local writes, do not enable the skill until the author documents required env vars/paths and their intended use.

功能分析

Type: OpenClaw Skill Name: feishu-mention-bot Version: 1.0.0 The `SKILL.md` file contains `bash` command examples that interact with the Feishu API, including fetching `tenant_access_token` and group message history. While these actions are plausible for the skill's stated purpose of identifying bot `open_id`s, the direct inclusion of `curl` commands with placeholders (e.g., `CHAT_ID`, `YOUR_APP_ID`, `YOUR_APP_SECRET`) presents a significant shell injection vulnerability risk if an AI agent were to execute these commands with unsanitized user-provided inputs. There is no clear evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints or backdoor installation.

能力评估

✓ Purpose & Capability

The name/description (mentioning bots in Feishu group chat) align with the SKILL.md content: it explains message formats (<at> tags), how to call the Feishu API, and how to extract bots' open_id from mentions.

⚠ Instruction Scope

The instructions include concrete API calls that require Feishu app_id/app_secret and a tenant_access_token, and they show saving open_id to TOOLS.md or a database. However the skill metadata declares no required credentials or config paths. The SKILL.md also refers to a 'message' tool command (message action=send) without declaring or describing that tool. The instructions therefore assume access to secrets and to writable local tooling/config that were not declared.

✓ Install Mechanism

No install spec and no code files (instruction-only). This is low risk from an install perspective — nothing is downloaded or written by an install step.

⚠ Credentials

Although the metadata declares no required environment variables or primary credential, the runtime examples require app_id and app_secret (sensitive credentials) to obtain a tenant_access_token. The skill should have declared that it needs these credentials; absence is a proportionality/visibility mismatch.

ℹ Persistence & Privilege

always:false and normal autonomous invocation are used (expected). The guidance to 'cache robot open_id' in TOOLS.md or DB implies persistent storage of identifiers (and possibly tokens if misused) in the agent workspace — this is behavior to be cautious about but not inherently privileged.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install feishu-mention-bot
安装完成后，直接呼叫该 Skill 的名称或使用 /feishu-mention-bot 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

初始版本：支持飞书群聊中艾特机器人并发送消息

元数据

Slug feishu-mention-bot

版本 1.0.0

许可证 —

累计安装 2

当前安装数 2

历史版本数 1

常见问题