Feishu File Sender
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: feishu-file Version: 1.0.1 The skill provides legitimate functionality for sending files to Feishu, but scripts/send_file.sh contains vulnerabilities due to improper input sanitization. Specifically, user-provided arguments like FILE_PATH and RECEIVER_ID are directly interpolated into curl commands and JSON payloads, which could allow for shell or JSON injection. While the script communicates only with official Feishu endpoints (open.feishu.cn) and lacks clear evidence of intentional malice, the insecure handling of inputs poses a risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong file path or recipient, a local file could be sent to an unintended Feishu user or group.
The script uploads the specified local file to Feishu and then sends it as a file message to the selected or default recipient.
-F "file=@$FILE_PATH") ... "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=$RECEIVER_TYPE"
Use it only for explicit, intended file sends; review the file path, receiver ID, and receiver type before running.
The configured Feishu bot can send files/messages within the permissions granted to the app.
The skill requires Feishu app credentials and bot permissions that allow uploading resources and sending messages, which is expected for its purpose but sensitive.
Requires Feishu App credentials ... FEISHU_APP_ID ... FEISHU_APP_SECRET ... im:message:send_as_bot ... im:resource
Grant only the Feishu permissions needed for this use case, protect the app secret, and rotate it if you suspect unintended use.