feishu-files

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill is aligned with sending media to Feishu, but it directly reads Feishu app secrets and uses raw shell/API calls without declaring those permissions or clear safeguards.

Install only if you trust this skill to use your Feishu app credentials. Before each use, verify the exact file path, recipient open_id, and message content, and consider limiting the Feishu app's permissions to only what is needed for media upload and message sending.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI03: Identity and Privilege Abuse

What this means

An agent using this skill can authenticate to Feishu with the configured app credentials and perform actions allowed to that Feishu app, such as uploading media and sending messages.

Why it was flagged

The skill directly reads the local OpenClaw Feishu app secret and exchanges it for a tenant access token, despite registry metadata declaring no credential or config-path requirement.

Skill content

c=json.load(open('/root/.openclaw/openclaw.json')); print(c['channels']['feishu']['appSecret']); ... tenant_access_token/internal

Recommendation

Declare the Feishu credential/config requirement, use the platform's scoped credential mechanisms where possible, limit the Feishu app permissions, and require user confirmation before using the token.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or overly autonomous invocation could send the wrong local file or message to a Feishu recipient.

Why it was flagged

The runtime instruction explicitly bypasses the normal message tool and uses exec/curl to upload a local file and send a Feishu message, without explicit approval or scoping requirements.

Skill content

正确方法：用exec工具执行curl调飞书API，分三步 ... open-apis/im/v1/images ... open-apis/im/v1/messages?receive_id_type=open_id

Recommendation

Require the user to specify and confirm the exact file path, recipient open_id, and message content before executing the curl commands.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may fail or behave differently depending on the local shell environment and installed tools.

Why it was flagged

The skill is instruction-only but still relies on local python3 and curl commands; the registry metadata lists no required binaries, so the dependency expectations are under-declared.

Skill content

APP_SECRET=$(python3 -c ...); TOKEN=$(curl -s -X POST ...)

Recommendation

Declare python3 and curl as required runtime tools, or provide an officially supported implementation path.