Feishu Img Tool

The skill's code generally matches its stated purpose (upload/send images to Feishu) but has several inconsistencies and risky implementation choices (undeclared required credentials, a hard-coded SDK path, missing dependency declaration) that warrant caution before installation.

This skill appears to do what it says (upload and send images to Feishu) but has implementation oddities you should consider before installing: - Credentials: You will need to provide FEISHU_APP_ID and FEISHU_APP_SECRET (via env vars or ~/.feishu-image/config.json). The registry listing did not declare these requirements — be sure you supply them and understand that the skill will use them to act as the configured Feishu app. - SDK dependency: The code requires the Lark SDK via a hard-coded pnpm global path (LARK_SDK_PATH). package.json does not list @larksuiteoapi/node-sdk as a dependency. Expect to manually install the SDK or modify the code to require the module normally; otherwise the tool will crash at runtime. - File handling & command execution: index.js builds shell commands with quoted file paths and uses child_process.exec. If you pass untrusted input into the wrapper, there is a risk of command injection or unexpected behavior. Sanitize inputs or invoke APIs directly instead of shelling out. - Least privilege: Create a Feishu app with only the permissions needed (im:message, im:image) and avoid using highly privileged credentials. Rotate app secrets if you stop using the skill. - Testing: Run the tool in a safe/test environment first to verify dependency installation and behavior. Inspect the code yourself (or have someone you trust do so) to confirm there are no hidden endpoints or unexpected data exfiltration. Given the mismatches (metadata vs. actual credential/config requirements and the hard-coded SDK path), treat the package as suspicious but not overtly malicious. If you need this functionality, prefer a version that properly declares dependencies and required env/config in its registry metadata or modify the code to use normal module resolution and explicit dependencies.