Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
飞书媒体发送
v1.1.0飞书媒体文件发送技能。适用于:发送文件、图片、URL图片、视频、音频、语音消息,以及打包压缩后发送。当用户要求在飞书中发送任何类型的媒体文件时激活此技能。
⭐ 0· 538·8 current·9 all-time
by@godzff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description and runtime instructions are aligned: the skill sends local files, URLs, videos, audio, and compressed archives to Feishu. However SKILL.md references ffmpeg/ffprobe for audio conversion/duration yet the skill metadata declares no required binaries. Also the README notes Feishu app permissions (im:message, im:resource) but the skill declares no credentials or environment variables — it assumes the host/agent already has Feishu authorization configured.
Instruction Scope
Instructions focus on sending media via a 'message' tool with channel=feishu and accept arbitrary filePath or media URL inputs — this is expected, but it means the skill can read and transmit any local files the agent is instructed to send. There are no guardrails or limits described beyond a generic 30MB limit. The instructions also call out ffmpeg/ffprobe usage but don't declare them as required binaries.
Install Mechanism
Instruction-only skill with no install steps and no code files; nothing is written to disk by an installer. This is the lowest-risk install mechanism.
Credentials
The skill declares no required environment variables or primary credential, which is plausible if the platform supplies Feishu credentials via the 'message' tool. Still, the SKILL.md explicitly requires Feishu app permissions and external binaries (ffmpeg/ffprobe). The lack of explicit credential requirements means you should confirm where and how Feishu auth is provided by your agent/platform before trusting it.
Persistence & Privilege
always is false, user-invocable is true, and model invocation is allowed — standard settings for a skill of this type. The skill does not request persistent or cross-skill configuration changes.
Assessment
This skill appears to do what it says (send media to Feishu) but verify three things before installing: (1) Confirm your agent/platform already provides Feishu authorization (app token/credentials) and that the required Feishu app permissions (im:message, im:resource) are scoped appropriately. (2) Install ffmpeg/ffprobe from a trusted source if you need voice conversion/duration detection — SKILL.md expects them but they are not declared in metadata. (3) Be cautious about which files you instruct the skill to send: it accepts arbitrary local file paths and URLs, so don’t ask it to send sensitive files (passwords, private keys, credential stores) unless you intentionally want them transmitted. If you need stronger safety, request the skill declare explicit binary and credential requirements or add guardrails limiting allowed file paths/types.Like a lobster shell, security has layers — review code before you run it.
latestvk971hb6qvyap3q5e6fan2xaw2d81x3c9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.