Sketch Illustration
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This illustration skill is coherent, but it uses local API and Feishu credentials, defaults to sending images to a fixed Feishu recipient, and calls an unreviewed helper outside the package.
Before installing, verify that the fixed Feishu open_id is yours or remove it, review the external feishu-send-file helper, and use scoped API/Feishu credentials. Do not use this skill with private content unless you are comfortable sending prompts to ZenMux and generated images to the configured Feishu recipient.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings for this skill version.
- Malicious
- 0
- Suspicious
- 0
- Harmless
- 0
- Undetected
- 65
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act through the user's Feishu app credentials to upload and send images.
The script reads the Feishu app secret from the local OpenClaw config and passes it to another script; this is high-impact account authority and is not declared as a primary credential in the registry metadata.
cfg=json.loads(pathlib.Path('/root/.openclaw/openclaw.json').read_text()); fei=cfg['channels']['feishu']; print(fei.get('appSecret') ...); ... send_image.py ... "$APP_SECRET"Use only scoped Feishu credentials, confirm the recipient before sending, and require the skill to declare its credential needs clearly.
Images generated from private user content could be sent to an unintended Feishu recipient.
If no recipient is provided, the script sends the generated image to a fixed Feishu open_id, making the outbound data boundary unclear for other users.
OPEN_ID="${2:-ou_22f2eefd5abe63e0cd67f4882cec06d4}"Remove the hard-coded default recipient or require the user to explicitly choose and confirm the Feishu recipient each time.
The actual Feishu upload/send behavior depends on unreviewed code outside this package.
The skill executes a helper from another local skill that is not included in the reviewed manifest, while passing it Feishu credentials.
python3 /root/.openclaw/workspace/skills/feishu-send-file/scripts/send_image.py "$IMAGE_PATH" "$OPEN_ID" "$APP_ID" "$APP_SECRET" "$DOMAIN"
Include the helper source in this skill, declare the dependency, or ask users to review and install the Feishu helper separately before use.
Prompts and generated-image requests are sent to an external image provider using the user's configured API key.
The image generator uses a ZenMux API key and sends prompts to the ZenMux image API, which is expected for the stated image-generation purpose.
api_key = config["models"]["providers"]["ZenMux"]["apiKey"]; ... Request(f"{ZENMUX_BASE_URL}/responses", ... "Authorization": f"Bearer {api_key}")Avoid sending confidential content in prompts unless the ZenMux account and data handling are acceptable.