feishu-send-file
v1.2.1飞书发送文件技能。用于通过飞书向用户发送普通文件附件(HTML、ZIP、PDF、代码文件等)以及处理“本地图片路径被发成路径文本”的可靠补救场景。普通文件必须先上传获取 `file_key` 再发送;当本地图片用 `message`/`media` 发送后在飞书里只显示 `/root/...png` 路径而不显示...
⭐ 3· 2.1k·44 current·47 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, and the two included Python scripts consistently implement uploading files/images to Feishu (im/v1/files and im/v1/images) and sending them. The scripts use Feishu/Lark endpoints only and require app_id/app_secret which are appropriate for this capability.
Instruction Scope
SKILL.md instructs users/agents to read credentials from /root/.openclaw/openclaw.json (via a grep example) and shows an exec() usage example that interpolates variables into a shell command. Reading the OpenClaw config to obtain app_id/app_secret is coherent with the task, but the exec example demonstrates potentially unsafe string interpolation (shell injection / accidental credential exposure) and encourages accessing a local config file which may contain other sensitive data.
Install Mechanism
No install spec — instruction-only with included scripts. The scripts call curl via subprocess/urllib to communicate with Feishu; no external downloads, no archive extraction, and no non-standard installs are present.
Credentials
The skill does not declare required env vars but legitimately needs app_id and app_secret to obtain tenant tokens; SKILL.md suggests obtaining them from the OpenClaw config. Requesting those credentials is proportional to the described functionality, but users should be aware the skill assumes access to /root/.openclaw/openclaw.json (local config) which may contain other sensitive settings.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. It does not modify other skills or system-wide configuration.
Assessment
This skill appears to do exactly what it says: upload files/images to Feishu and send them. Before installing or running it, consider: (1) The scripts require your Feishu app_id and app_secret — only provide credentials for an app with minimal permissions. (2) SKILL.md suggests reading /root/.openclaw/openclaw.json to fetch credentials; verify that file contains only expected keys and that you are comfortable the skill (or agent) can read it. (3) Avoid copying the raw exec() example into a service that interpolates untrusted values — it can lead to shell injection or accidental credential leakage; prefer passing arguments safely to the scripts. (4) Review and run the included scripts in a controlled environment (non-root, limited network) if you have concerns. If you want stronger assurance, ask the skill author to accept credentials via environment variables or secured input rather than instructing agents to grep local config files.Like a lobster shell, security has layers — review code before you run it.
latestvk9776a5y1n6ptbpnh7r4nqvhms82ygwz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.