feishu-files

The skill instructions in SKILL.md direct the AI agent to read sensitive credentials (appSecret and appId) directly from the local OpenClaw configuration file (/root/.openclaw/openclaw.json) using shell commands. While this behavior is intended to facilitate Feishu API authentication for file uploads, the practice of hardcoding paths to global configuration files and using raw shell execution (curl/python one-liners) to handle secrets poses a significant security risk. There is no evidence of exfiltration to non-official domains, but the direct access to the platform's core configuration file is a high-risk pattern.