技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.3
统计:⭐ 0 · 693 · 9 current installs · 9 all-time installs
⭐ 0
安装量(当前) 9
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:autogame-17/feishu-chat-forwarder
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's code matches its stated purpose (fetch Feishu messages and merge-forward them) but it silently expects Feishu credentials, reads/writes files outside its folder, and has manifest/install inconsistencies that could lead to unexpected credential exposure or persistence.
目的
The code implements exactly what the description says (listing messages and calling Feishu merge_forward). However the runtime requires FEISHU_APP_ID and FEISHU_APP_SECRET (loaded via dotenv) even though the registry metadata declares no required env vars or primary credential. This is an incoherence: the skill needs cloud credentials but does not declare them.
说明范围
SKILL.md documents running node skills/chat-forwarder/index.js but does not mention that the script will load environment variables from ../../.env or that it will write a token cache to ../../memory/feishu_token.json. The code therefore reads/writes files outside the skill folder (potentially shared locations) and persists a tenant access token — behavior not described in the instructions.
安装机制
There is no install spec (instruction-only), but the skill includes Node code and a package.json. SKILL.md shows running node, yet the registry lists 'required binaries: none'. The code also calls require('dotenv') but dotenv is not listed in package.json dependencies, so the packaged code will fail unless the runtime already has that module. These manifest and dependency mismatches are sloppy and can lead to unexpected runtime errors or hidde…
证书
Sensitive environment variables (FEISHU_APP_ID, FEISHU_APP_SECRET) are used but not declared in requires.env or primary credential. The code will read ../../.env (relative path) which may expose other env settings, and it persists a tenant token to ../../memory/feishu_token.json — creating stored credentials that may be accessible to other processes or skills. Requesting and persisting these secrets without explicit declaration is disproportio…
持久
The skill is not set to always:true, but it writes a token cache to a '../../memory' path relative to the skill. That location looks like it could be shared across skills or the agent runtime, increasing persistence and cross-skill access risk. The skill does not modify other skills' configs, but its persistent token storage and outward network calls expand its blast radius beyond a single ephemeral invocation.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「feishu-chat-forwarder」。简介:Fetch recent messages from a Feishu group chat and forward them as a merged mes…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/autogame-17/feishu-chat-forwarder/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
# Chat Forwarder (chat-forwarder)
A skill to fetch recent chat history from a group and send it as a "Merge Forward" (合并转发) message to a target user.
## Tools
### `node skills/chat-forwarder/index.js`
Fetches and forwards messages.
**Options:**
- `--source <chat_id>`: Source Chat ID (e.g., `oc_xxx`).
- `--target <open_id>`: Target User/Chat ID to receive the forward.
- `--limit <number>`: Number of recent messages to forward (default: 20, max 100).
## Usage
```bash
node skills/chat-forwarder/index.js --source "oc_123..." --target "ou_456..." --limit 50
```