sjht-ppt-delivery
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill does what it claims—convert a slide HTML file to PDF and send it through Feishu—but users should notice that it uses local Feishu bot credentials and uploads the selected file to Feishu.
This skill appears coherent and purpose-aligned. Before installing, confirm you want it to use the configured Feishu bot credentials, verify the recipient open_id and file path when sending, and ensure the required local Chromium, Node, and Python dependencies are trusted.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or invoking the skill allows it to use the configured Feishu bot identity to upload and send files.
The script reads Feishu bot app credentials from the local OpenClaw configuration and uses them to obtain a tenant access token. This is expected for sending a Feishu bot message, but it is sensitive delegated account authority.
OPENCLAW_JSON = os.path.expanduser("~/.openclaw/openclaw.json") ... APP_ID = main_account.get("appId") ... APP_SECRET = main_account.get("appSecret")Use only with a Feishu bot/app whose permissions are appropriate for file delivery, and confirm the configured bot account is the one you intend to use.
The PDF or other file passed to the helper will be transmitted to Feishu and delivered to the specified recipient.
The generated or selected file is uploaded to Feishu and then sent as a Feishu message. This external data flow is the stated purpose, but it means file contents leave the local environment.
requests.post("https://open.feishu.cn/open-apis/im/v1/files", ... files={"file": (file_name, f, content_type)}) ... requests.post("https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id", ...)Only invoke the helper with the intended generated PDF and the correct recipient open_id; avoid passing private or unrelated local files.
The skill may fail or behave differently depending on what global packages and browser binary are installed locally.
The skill depends on already-installed global packages, Chromium, Python requests, and Feishu config. This is purpose-aligned, but the registry metadata does not declare these requirements, so users should verify their local environment.
- `chromium-browser`(已安装) - `puppeteer-core`(全局 npm 包) - `pdf-lib`(全局 npm 包) - Python 3 + `requests`(已安装) - 飞书机器人已配置(openclaw.json 中有 APP_ID/SECRET)
Confirm the required packages and Chromium binary come from trusted sources and match the expected versions before relying on the skill.
If the input HTML is malicious or untrusted, it may run script content inside the browser context while the PDF is being generated.
The converter renders a local HTML file in headless Chromium with sandboxing disabled. This is a common containerized PDF-conversion pattern and aligns with the purpose, but untrusted HTML could still execute browser-side scripts during rendering.
puppeteer.launch({ executablePath: '/usr/bin/chromium-browser', headless: true, args: ['--no-sandbox', '--disable-setuid-sandbox', '--disable-dev-shm-usage'] }) ... await page.goto(`file://${inputFile}`Use this converter on trusted or agent-generated slide HTML, and be cautious with HTML supplied by unknown parties.