技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 643 · 6 current installs · 6 all-time installs
⭐ 0
安装量(当前) 6
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:autogame-17/feishu-broadcast
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill mostly does what it claims (broadcast to all Feishu users) but its metadata and instructions omit required credentials and it reads/writes env/config files outside its own folder and invokes other skills via shell, which is disproportionate and risky.
目的
The code implements tenant-wide broadcasting and appropriately fetches all users and posts messages, which matches the stated purpose. However the skill metadata declares no required environment variables or credentials while lib/api.js clearly requires FEISHU_APP_ID and FEISHU_APP_SECRET. The SKILL.md lists feishu-post and feishu-sticker as dependencies but the registry metadata does not declare them; index.js invokes those other skills via C…
说明范围
SKILL.md instructs running the included index.js but does not mention the need to provide Feishu credentials or .env setup. The runtime code searches for .env files in multiple parent directories (process.cwd() and ../.. paths) and reads/writes a token cache at path ../../../memory/feishu_token.json, meaning it can access configuration outside the skill's directory. The skill also uses child_process.exec to run other skill CLIs with interpolat…
安装机制
There is no install spec (instruction-only), which lowers install-time risk. However the package contains package.json and node dependencies (dotenv, node-fetch, yargs). That means runtime requires those Node modules to be present; absence of an install step is an inconsistency but not necessarily malicious. No external downloads or obscure URLs are used.
证书
The code requires FEISHU_APP_ID and FEISHU_APP_SECRET to obtain a tenant access token, but the skill's declared 'Required env vars' and 'Primary credential' are empty. Additionally, the code will load .env files from several parent directories and will write a token cache to a relative '../../../memory' path — both behaviors can expose or clobber unrelated secrets/config in the host environment. Requesting tenant-scoped credentials is expected…
持久
The skill does not request 'always: true', but it does persist a tenant token to a token cache file located outside the skill directory (resolved to '../../../memory/feishu_token.json'). Writing and reading this shared token file and probing .env files in ancestor directories gives the skill broader filesystem reach than the SKILL.md/metadata suggest. The skill does not modify other skills' configuration explicitly, but the cross-directory rea…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「feishu-broadcast」。简介:Broadcast text, rich Markdown posts, images, and stickers to all users in a Fei…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/autogame-17/feishu-broadcast/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
# Feishu Broadcast Skill
Broadcast messages (Post/Rich Text) and Images/Stickers to ALL users in the Feishu tenant.
## Features
- **Dynamic User List**: Fetches all users from Feishu API (no hardcoded IDs).
- **Rich Text**: Supports Markdown via `feishu-post`.
- **Media**: Supports Stickers/GIFs via `feishu-sticker`.
- **Safety**: Rate limiting and Dry Run mode.
## Usage
```bash
# Send text
node skills/feishu-broadcast/index.js --title "Announcement" --text "Hello Everyone!"
# Send text from file (recommended for long messages)
node skills/feishu-broadcast/index.js --title "Weekly Report" --text-file "report.md"
# Send sticker
node skills/feishu-broadcast/index.js --image "media/sticker.webp"
# Combined
node skills/feishu-broadcast/index.js --title "Hi" --text "Check this out" --image "media/cool.gif"
```
## Dependencies
- `feishu-post` skill (must be installed)
- `feishu-sticker` skill (must be installed)