飞书多维表格文件上传

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears to do what it claims: upload a user-selected file to Feishu/Lark Bitable and return a file token, but it requires Feishu app credentials and sends the chosen file to Feishu.

This looks suitable if you need a Feishu Bitable media-upload helper. Before using it, make sure the file is safe to upload, the parent-node token points to the intended Bitable, and the Feishu app credentials are least-privileged and handled securely.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation

Low

What this means

A file selected for upload will be transmitted to Feishu/Lark under the provided Bitable parent node.

Why it was flagged

The script uploads the user-specified local file to Feishu's media API. This matches the stated purpose, but it is still an external file transfer.

Skill content

curl -s -X POST "${FEISHU_BASE}/open-apis/drive/v1/medias/upload_all" ... -F "file=@${FILE_PATH}"

Recommendation

Verify the file path and parent-node token before running, and use the skill only for files you intend to upload.

#ASI03: Identity and Privilege Abuse

Low

What this means

If the Feishu app is over-permissioned, uploads will run with broader workspace authority than necessary.

Why it was flagged

The skill requires Feishu application credentials to obtain an access token. This is expected for the integration, but those credentials carry the permissions granted to the Feishu app.

Skill content

Requires App ID and Secret ... export FEISHU_APP_ID=<APP_ID> ... export FEISHU_APP_SECRET=<APP_SECRET>

Recommendation

Use a least-privileged Feishu app limited to the intended Bitable/Drive permissions, and avoid exposing secrets in shared logs or shell history.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

You may only discover the credential requirement after reading the skill instructions or running the script.

Why it was flagged

The registry metadata does not declare the Feishu credential/env-var requirement that SKILL.md documents, so the credential need may not be visible from metadata alone.

Skill content

Required env vars: none ... Primary credential: none

Recommendation

Review SKILL.md before use and configure only the documented FEISHU_* values for this upload task.