ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Upload Skill

v1.0.0

上传文件到飞书云盘并发送到指定聊天,支持自动令牌管理、30MB大小限制和多种文件格式,需Node.js 18+环境。

0· 800·5 current·5 all-time
byIvyWooo@deewooo
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code, README and SKILL.md all implement Feishu upload/send functionality which matches the name. However the skill embeds an App ID and App Secret in get_feishu_token.sh and expects OpenClaw config at /home/node/.openclaw/openclaw.json and token files under /home/node/.openclaw/workspace/. The registry metadata declared no required env vars or config paths; that is inconsistent and unexpected for a networked OAuth-based integration.
!
Instruction Scope
Runtime instructions and scripts read and write files in /home/node/.openclaw/workspace (feishu_token.txt, upload_result.json) and may run get_feishu_token.sh during install. The scripts will obtain a tenant_access_token from Feishu and save it locally. The instructions do not request explicit user-provided credentials via env vars, but the code uses a hard-coded APP_ID/APP_SECRET — this expands the skill's effective access beyond what the metadata declares.
Install Mechanism
There is no network install spec (lowest-risk category). The package is instruction+script based and includes an install.sh that copies files into the skills directory and may call get_feishu_token.sh. No remote downloads or obfuscated fetches were found. install.sh assumes Node.js ≥18 and presence of OpenClaw config; it will attempt to run token acquisition if no token exists.
!
Credentials
Registry metadata lists no required credentials or config paths, yet the code: (1) reads/writes /home/node/.openclaw/openclaw.json and /home/node/.openclaw/workspace/feishu_token.txt; (2) hard-codes APP_ID and APP_SECRET in get_feishu_token.sh; and (3) prints partial token values. The presence of an embedded APP_SECRET (sensitive credential) without declaration or explanation is disproportionate and requires review/rotation before use.
Persistence & Privilege
always:false and user-invocable:true (normal). The skill writes token and result files into its workspace (feishu_token.txt, upload_result.json) which is expected for this functionality. It does not request always:true nor modifies other skills' configuration.
What to consider before installing
What to check before installing: - Credentials: get_feishu_token.sh contains a hard-coded APP_ID and APP_SECRET. Treat those as sensitive: do not assume they are safe to use. Either replace them with your own app credentials, or remove the script and supply your own tenant_access_token. If those credentials were used in a shared/demo package, rotate them in Feishu immediately. - Metadata mismatch: the registry metadata claims no required config/env, but the code reads /home/node/.openclaw/openclaw.json and stores/reads /home/node/.openclaw/workspace/feishu_token.txt. Expect the skill to create and read token files in the OpenClaw workspace. - Inspect and run in a sandbox: run install and first runs in an isolated environment (or container) so you can see token creation and network calls. The endpoints contacted are legitimate Feishu endpoints (open.feishu.cn), but you should still control which App ID/Secret are used. - Dependencies & runtime: native scripts target Node.js ≥18. Some scripts (simple_feishu_upload.js) require the npm package 'form-data' though package.json declares no dependencies—install missing packages or prefer native native_feishu_upload.js on Node 18+. get_feishu_token.sh uses python3 for JSON parsing; ensure python3 exists. - Audit outputs: the skill saves tokens and upload_result.json in the workspace. Ensure those files are stored with appropriate permissions and rotated/removed if they contain sensitive tokens. - Recommended actions: (1) open and remove/replace embedded APP_SECRET with your own or change get_feishu_token.sh to read credentials from a secure location (env vars or a secrets manager); (2) declare required config paths/env in your OpenClaw deployment; (3) run the tool manually first to verify behavior; (4) if you do not trust the source, do not run get_feishu_token.sh — instead obtain a token via your own secure process. Overall: the code implements the advertised feature and uses legitimate Feishu APIs, but the presence of embedded credentials and the metadata/config mismatches are red flags — treat this as suspicious until credentials and config handling are fixed or explicitly approved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cq4ey9wbzbjc4170vza9n1581d83c
800downloads
0stars
1versions
Updated 9h ago
v1.0.0
MIT-0
IvyWooo@deewooo
latest
Download

Feishu Upload Skill

飞书文件上传技能 - 直接上传文件到飞书并发送到聊天

功能特性

文件上传:上传本地文件到飞书云盘 ✅ 消息发送:发送文件消息到指定聊天 ✅ 自动令牌管理:自动获取和刷新访问令牌 ✅ 大小限制检查:自动检查30MB文件大小限制 ✅ 多格式支持:支持各种文件类型(文本、图片、压缩包等) ✅ 纯Node.js实现:无需额外依赖,使用Node.js 18+原生功能

快速开始

1. 上传文件并发送到聊天

node feishu_complete_upload.js <文件路径> <聊天ID>

示例:

node feishu_complete_upload.js document.txt oc_dd899cb1a7846915cdd2d6850bd1dafa

2. 仅上传文件(获取文件Key)

node feishu_complete_upload.js <文件路径>

3. 使用简化脚本

# 简单上传
node native_feishu_upload.js <文件路径>

# 获取访问令牌
./get_feishu_token.sh

文件说明

核心文件

  • feishu_complete_upload.js - 完整的上传和发送工具(推荐)
  • native_feishu_upload.js - 使用原生FormData的简单上传工具
  • get_feishu_token.sh - 获取和刷新访问令牌的脚本

辅助文件

  • feishu_upload_simple.sh - Bash实现的简单上传脚本
  • feishu_upload_fixed.sh - 修复版Bash上传脚本
  • simple_feishu_upload.js - 简化版Node.js上传工具

配置文件

  • feishu_token.txt - 访问令牌缓存文件(自动生成)
  • upload_result.json - 上次上传的结果文件

技术原理

三步上传流程

  1. 获取访问令牌:使用App ID和Secret获取tenant_access_token
  2. 上传文件:使用飞书/im/v1/files API上传文件,获取file_key
  3. 发送消息:使用file_key发送文件消息到指定聊天

API端点

  • 获取令牌:POST /open-apis/auth/v3/tenant_access_token/internal
  • 上传文件:POST /open-apis/im/v1/files
  • 发送消息:POST /open-apis/im/v1/messages

权限要求

  • im:message:send_as_bot - 发送消息权限
  • im:file:send_as_bot - 发送文件权限(可能需要)
  • 文件上传权限(通过drive:file:upload已授权)

使用示例

示例1:上传文本文件

# 创建测试文件
echo "测试内容" > test.txt

# 上传并发送到群聊
node feishu_complete_upload.js test.txt oc_dd899cb1a7846915cdd2d6850bd1dafa

示例2:上传图片文件

# 上传图片
node feishu_complete_upload.js photo.jpg oc_dd899cb1a7846915cdd2d6850bd1dafa

示例3:上传压缩包

# 压缩文件
tar -czf archive.tar.gz folder/

# 上传压缩包
node feishu_complete_upload.js archive.tar.gz oc_dd899cb1a7846915cdd2d6850bd1dafa

错误处理

常见错误

  1. 令牌过期:自动刷新令牌
  2. 文件太大:超过30MB限制
  3. 权限不足:检查飞书应用权限配置
  4. 网络问题:自动重试机制

调试模式

# 查看详细日志
DEBUG=1 node feishu_complete_upload.js file.txt chat_id

集成到OpenClaw

作为工具调用

const { execSync } = require('child_process');
const result = execSync('node feishu_complete_upload.js file.txt chat_id').toString();
console.log(JSON.parse(result));

作为Skill使用

  1. 将此文件夹复制到skills/目录
  2. 在OpenClaw配置中启用
  3. 通过命令或API调用

注意事项

  1. 文件大小:最大支持30MB文件
  2. 令牌有效期:访问令牌2小时有效,自动刷新
  3. 权限配置:确保飞书应用有正确的权限
  4. 网络环境:需要能访问飞书API的网络环境
  5. Node.js版本:需要Node.js 18+(支持全局FormData和fetch)

更新日志

v1.0.0 (2026-02-12)

  • ✅ 初始版本发布
  • ✅ 完整的文件上传和发送功能
  • ✅ 自动令牌管理
  • ✅ 错误处理和日志
  • ✅ 多文件格式支持

许可证

MIT License - 自由使用和修改

Comments

Loading comments...