Feishu File Sender

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

If invoked with the wrong file path or recipient, a local file could be sent to an unintended Feishu user or group.

Why it was flagged

The script uploads the specified local file to Feishu and then sends it as a file message to the selected or default recipient.

Skill content

-F "file=@$FILE_PATH") ... "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=$RECEIVER_TYPE"

Recommendation

Use it only for explicit, intended file sends; review the file path, receiver ID, and receiver type before running.

Note

ASI03: Identity and Privilege Abuse

What this means

The configured Feishu bot can send files/messages within the permissions granted to the app.

Why it was flagged

The skill requires Feishu app credentials and bot permissions that allow uploading resources and sending messages, which is expected for its purpose but sensitive.

Skill content

Requires Feishu App credentials ... FEISHU_APP_ID ... FEISHU_APP_SECRET ... im:message:send_as_bot ... im:resource

Recommendation

Grant only the Feishu permissions needed for this use case, protect the app secret, and rotate it if you suspect unintended use.