Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
feishu-card-sender
v1.0.1发送飞书卡片消息(支持纯文本和图片)。使用 message 工具的 card 参数,需要配置飞书应用凭证(App ID + App Secret)。
⭐ 0· 205·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and included script implement Feishu image upload and card sending as advertised. However the registry metadata declares no required environment variables or primary credential even though the skill clearly needs Feishu App ID and App Secret; that's an inconsistency between claimed requirements and actual needs.
Instruction Scope
Runtime instructions are scoped to sending cards and uploading images to Feishu. The SKILL.md and script only call Feishu Open API endpoints and read app credentials; they do not attempt to read unrelated system files or external endpoints. One small oddity: the doc tells the user to put credentials into a USER.md file (not included) while the script reads environment variables — the mapping is implied but not explicit.
Install Mechanism
This is instruction-only with no install spec (low risk). However a Python script is included that depends on the 'requests' library and a working Python runtime; those dependencies are not declared in the metadata or SKILL.md, so users might be missing required runtime components.
Credentials
The script expects FEISHU_APP_ID and FEISHU_APP_SECRET (it also accepts CLI flags). Those credentials are appropriate for the skill's purpose, but the skill registry metadata did not declare any required env vars or a primary credential. The omission of declared secrets is a mismatch that could cause accidental misconfiguration or secret placement in insecure locations (e.g., putting secrets into repo files).
Persistence & Privilege
The skill does not request persistent/always-on presence and does not modify other skill or system configurations. It is user-invocable only (default) and does not request elevated privileges.
What to consider before installing
This skill's code and instructions match its stated purpose (upload images and send Feishu card messages), but the package metadata fails to declare the required Feishu credentials and the script's Python dependency. Before installing: 1) Verify the script source and review scripts/upload_image.py locally. 2) Provide FEISHU_APP_ID and FEISHU_APP_SECRET via environment variables (or pass them to the script) and avoid storing secrets in repo files like USER.md. 3) Ensure Python and the 'requests' package are available in the runtime. 4) Prefer creating a Feishu app with minimal permissions and rotate credentials if you decide to use this. If you need the skill to run in an automated/hosted agent, confirm where the agent stores env vars and whether that storage is secure.Like a lobster shell, security has layers — review code before you run it.
latestvk973wsvd67maf1nj4br5fkfmk183jf85
License
MIT-0
Free to use, modify, and redistribute. No attribution required.