ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Img Send

v1.0.0

飞书图片发送 - 使用API直接发送图片到飞书 / Send images to Feishu via API

1· 397·1 current·1 all-time
by@bombfuock
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the implementation: both the Python and shell scripts call Feishu APIs to obtain a tenant token, upload an image, and send a message. However, the implementation relies on embedded app credentials rather than using credentials provided by the user, which is a design choice that should be explicit to users.
Instruction Scope
Runtime instructions and scripts only read the provided image path and target user ID and call Feishu endpoints. They do not attempt to read unrelated files, environment variables, or other system state. No evidence of exfiltration to endpoints outside Feishu.
Install Mechanism
No install spec — instruction-only with small helper scripts. Nothing is downloaded or written to disk by an installer. This is low install risk.
!
Credentials
The code embeds an APP_ID and APP_SECRET directly in both the Python and shell scripts rather than declaring required credentials or asking the user to supply their own. This is disproportionate from a privacy/credential perspective: user images will be uploaded under the publisher's Feishu app/tenant and the included secret is exposed in the skill bundle.
Persistence & Privilege
The skill does not request persistent presence (always=false) and does not modify other skills or system-wide settings. It runs only when invoked.
What to consider before installing
This skill will upload whatever image file you pass to it to Feishu using the APP_ID/APP_SECRET embedded in the bundle. Before installing or running it: 1) Understand that your images will be uploaded to the publisher's Feishu app/tenant (possible privacy leakage). 2) Prefer a version that asks you to provide your own APP_ID/APP_SECRET (via environment vars or config) so uploads occur under your credentials. 3) If you must use this package, avoid sending sensitive images. 4) Consider asking the publisher who controls the Feishu app and whether the embedded credentials are intended for public use; if not, do not use it. 5) If you are the owner of the embedded credentials, rotate them immediately and replace the hardcoded secrets with configurable env vars. 6) Verify the Feishu app's permissions (im:resource, im:message) and audit recipients to prevent misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e71mx28bq9w7068aaa4h17582a9s4
397downloads
1stars
1versions
Updated 9h ago
v1.0.0
MIT-0
@bombfuock
latest
Download

飞书图片发送 / Feishu Image Sender

通过飞书开放平台API发送图片。

使用方法 / Usage

命令行

# 发送图片
./scripts/send.sh <图片路径> <用户ID>

# 示例
./scripts/send.sh /tmp/test.png ou_xxxxxxxx

Python

from feishu_image import FeishuImageSender

sender = FeishuImageSender()
sender.send_image("/tmp/test.png", "ou_xxxxxxxx")

配置 / Configuration

脚本已内置APP_ID和APP_SECRET,无需额外配置。

原理 / How It Works

  1. 获取 tenant_access_token
  2. 上传图片到飞书获取 image_key
  3. 使用 image_key 发送图片消息

API调用

POST /open-apis/auth/v3/tenant_access_token/internal
POST /open-apis/im/v1/images
POST /open-apis/im/v1/messages

权限要求

  • im:resource
  • im:message

更新日志

  • v1.0.0: 初始版本

Comments

Loading comments...