← 返回 Skills 市场
Feishu Card
作者
dadaniya99
· GitHub ↗
· v1.0.0
418
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install xiaolongxia-feishu-card
功能描述
飞书互动卡片发送技能(国际版 Feishu 兼容)。当需要发送格式丰富的飞书卡片消息时使用。支持标题、Markdown 内容、颜色主题。关键:必须使用 schema 2.0 格式 + 双重 JSON stringify,否则国际版飞书(Feishu)无法渲染。
安全使用建议
This skill appears to do what it claims (construct and send Feishu schema 2.0 interactive cards), but it reads your OpenClaw configuration file (~/.openclaw/openclaw.json) to obtain the Feishu app_secret while the registry metadata declares no required credentials — that's an inconsistency you should address before installing. Recommended actions: 1) Inspect the file ~/.openclaw/openclaw.json to see what secrets it contains and whether you are comfortable the skill can read it. 2) Avoid running the curl example that uses cat to inject the secret into a shell variable (it can leak to logs or process listings); instead supply secrets via a safer mechanism (read-only file with strict permissions or an explicitly declared environment variable). 3) If you do not want the skill to read your OpenClaw config, modify the script to accept APP_SECRET via an environment variable or CLI argument and run it in a restricted account. 4) Verify the hard-coded APP_ID is expected for your environment. 5) If you need stronger assurance, request the author to update skill metadata to declare the required config path/credential and to remove any examples that expose secrets in shell history or logs.
功能分析
Type: OpenClaw Skill
Name: xiaolongxia-feishu-card
Version: 1.0.0
The skill bundle is classified as suspicious because it explicitly instructs the AI agent and the included Python script (scripts/send_card.py) to read sensitive credentials (appSecret) from a global configuration file (/root/.openclaw/openclaw.json). While the script uses these credentials to interact with the legitimate Feishu API (open.feishu.cn), the practice of accessing a broad configuration file that may contain other platform secrets, combined with a hardcoded APP_ID (cli_a9f5877b3378dbd8), represents a high-risk pattern for credential exposure.
能力评估
Purpose & Capability
Functionality matches the name/description: the code and docs construct a schema 2.0 Feishu interactive card and call Feishu's official endpoints. However, the skill metadata declares no required env vars or config paths while both SKILL.md and scripts/read_card.py require access to the OpenClaw config file (~/.openclaw/openclaw.json). This mismatch (undeclared credential/config requirement) is a material coherence issue.
Instruction Scope
SKILL.md explicitly instructs reading /root/.openclaw/openclaw.json to extract app_secret and provides a curl example that cat's the file into a shell variable — behavior that can leak secrets (shell history, process command lines, logs). The script itself reads ~/.openclaw/openclaw.json and extracts channels.feishu.appSecret. Aside from the secret access, the instructions stay within the stated purpose (obtaining a token and sending a card) and call only Feishu endpoints.
Install Mechanism
No install spec; this is an instruction-only skill with a small included helper script. Nothing is downloaded from external/untrusted URLs and nothing is installed automatically, which is low risk.
Credentials
The skill requires a Feishu app secret to operate, but the registry metadata lists no required environment variables or config paths and no primary credential. The script implicitly reads the user's OpenClaw config file to get the app secret; requesting access to that file (which may contain other secrets) is reasonable for authentication but should be declared. The hard-coded APP_ID is present in the code; that is expected but should be documented. Overall the credential access is reasonable for the task but underdeclared and potentially surprising.
Persistence & Privilege
The skill is not always-included, does not request elevated platform privileges, and does not modify other skills or system-wide settings. It runs as a simple utility script and only performs one-off token fetch and POST to Feishu.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xiaolongxia-feishu-card - 安装完成后,直接呼叫该 Skill 的名称或使用
/xiaolongxia-feishu-card触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of the 飞书互动卡片发送技能 (Feishu interactive card sending skill), supporting the international version of Feishu.
- Enables sending rich-format interactive card messages using schema 2.0, compatible with both Chinese and English Feishu interfaces.
- Requires double JSON.stringify of the card content to ensure rendering on international Feishu.
- Provides documentation, card structure examples, supported tags, color themes, and troubleshooting guidance.
- Supports sending methods via Python script, direct message tool call, or manual curl command.
元数据
常见问题
Feishu Card 是什么?
飞书互动卡片发送技能(国际版 Feishu 兼容)。当需要发送格式丰富的飞书卡片消息时使用。支持标题、Markdown 内容、颜色主题。关键:必须使用 schema 2.0 格式 + 双重 JSON stringify,否则国际版飞书(Feishu)无法渲染。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 418 次。
如何安装 Feishu Card?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiaolongxia-feishu-card」即可一键安装,无需额外配置。
Feishu Card 是免费的吗?
是的,Feishu Card 完全免费(开源免费),可自由下载、安装和使用。
Feishu Card 支持哪些平台?
Feishu Card 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Feishu Card?
由 dadaniya99(@dadaniya99)开发并维护,当前版本 v1.0.0。
推荐 Skills