← 返回 Skills 市场

Feishu Merged Msg

Name: Feishu Merged Msg
Author: deadblue22

作者 deadblue · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

408

总下载

当前安装

版本数

在 OpenClaw 中安装

/install feishu-merged-msg

功能描述

Fetch and parse Feishu merged/forwarded messages (合并转发消息). Activate when a Feishu message shows "Merged and Forwarded Message" with no readable content, or w...

使用说明 (SKILL.md)

Feishu Merged Message Fetcher

Feishu's merge_forward messages appear as "Merged and Forwarded Message" with no content in the bot API. Use the Feishu REST API to retrieve the actual sub-messages.

When to Use

Message body contains only "Merged and Forwarded Message"
msg_type is merge_forward
User asks about a forwarded/合并转发 message you can't read

How It Works

The Feishu GET /open-apis/im/v1/messages/{message_id} endpoint returns the parent message plus all sub-messages in data.items[]. Sub-messages have upper_message_id pointing to the parent.

Steps

Get the message_id of the merged message (from inbound context or replied message metadata).

Run the fetch script:

bash \x3Cskill_dir>/scripts/fetch_merged_msg.sh \x3Cmessage_id> \x3Capp_id> \x3Capp_secret>

app_id / app_secret: from OpenClaw config at .channels.feishu in openclaw.json

If credentials are not readily available, extract them:

python3 -c "import json; d=json.load(open('/root/.openclaw/openclaw.json')); c=d['channels']['feishu']; print(c.get('appId',''), c.get('appSecret',''))"

Parse the JSON response:
- data.items[0] is the parent (merge_forward) message
- data.items[1:] are the sub-messages in chronological order
- Each sub-message has body.content with the actual text/post content
- mentions[] maps @_user_N placeholders to real names
- sender.id identifies who sent each sub-message
Summarize the conversation thread for the user.

Notes

The API requires im:message:readonly scope on the Feishu app.
Images inside sub-messages show as image_key references; they cannot be directly displayed but can be described from context.
Sub-messages may come from different chats (check chat_id); the original chat context may differ from the current group.

安全使用建议

This skill appears to do what it says (fetch Feishu merged messages) but it instructs the agent to read and print secrets from your local OpenClaw config (/root/.openclaw/openclaw.json) while the manifest doesn't declare that requirement. Before installing or running it: (1) verify the skill's origin — source and homepage are unknown; (2) do not run the provided python snippet that prints credentials to stdout — instead fetch app_id/app_secret manually from your secret store; (3) prefer creating a Feishu app with minimal scope (im:message:readonly) and short-lived/test credentials; (4) inspect and run the shell script in a safe/isolated environment; (5) consider adding an explicit config requirement or removing the instruction to read the OpenClaw config so the skill does not encourage inadvertent exposure of other secrets. If you need to use it, provide only the minimal credentials the script requires and avoid exposing your entire openclaw.json.

功能分析

Type: OpenClaw Skill Name: feishu-merged-msg Version: 1.0.0 The skill is highly suspicious due to a critical shell injection vulnerability in `scripts/fetch_merged_msg.sh`. The `MSG_ID` variable is used unquoted in a `curl` command's URL, allowing for arbitrary command execution if a malicious user can control the `message_id` input. Additionally, `SKILL.md` instructs the agent to explicitly read sensitive credentials from `/root/.openclaw/openclaw.json` using a `python3 -c` command, which, while intended for legitimate purposes, highlights a prompt injection vector and risky file access pattern.

能力评估

ℹ Purpose & Capability

Functionality (retrieving sub-messages from Feishu merge_forward messages) matches the name and code: the included shell script exchanges app credentials for a tenant token and calls the Feishu messages API. However, the package declares no required credentials/config paths while the README explicitly requires app_id/app_secret (and suggests pulling them from local OpenClaw config), which is an inconsistency.

⚠ Instruction Scope

SKILL.md explicitly instructs the agent to run a script and — if credentials are not available — to execute a python one-liner that loads /root/.openclaw/openclaw.json to print appId/appSecret. That directs reading a local config file containing secrets that was not declared and encourages printing sensitive credentials to stdout.

✓ Install Mechanism

No install spec; the skill is instruction-only with a small included shell script. The script itself is straightforward (curl + python JSON parse) and does not download or install external code.

⚠ Credentials

Needing Feishu app_id/app_secret is reasonable for the stated API access, but the skill fails to declare required credentials/config paths while telling the agent how to extract secrets from a local OpenClaw config. This encourages access to local secrets beyond what the manifest advertises and risks exposing other stored credentials if the path contains more than just Feishu keys.

✓ Persistence & Privilege

Skill does not request persistent/always-on privileges and does not modify other skills or system settings. It runs on demand and performs immediate API calls only.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install feishu-merged-msg
安装完成后，直接呼叫该 Skill 的名称或使用 /feishu-merged-msg 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of the Feishu Merged Message Fetcher skill. - Retrieves and parses Feishu "Merged and Forwarded" (merge_forward) messages, exposing sub-messages and content not readable in the default bot API. - Provides CLI scripts and instructions to fetch sub-messages via the Feishu REST API. - Supports retrieval of sender info, message mentions, and content summarization of forwarded message threads. - Clarifies handling for message images and chat context in merged messages.

元数据

Slug feishu-merged-msg

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题