Feishu Assistant
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is purpose-aligned for sending user-selected images to Feishu, but users should note that it uses Feishu bot credentials from environment variables or the OpenClaw config.
This appears safe for its stated purpose if you intend to send images through a Feishu bot. Install only if you are comfortable with the skill reading the configured Feishu app credentials and uploading the chosen image to Feishu; verify recipient IDs before use.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and invoked, the skill can act through the configured Feishu bot account to upload images and send messages to specified Feishu recipients.
The script uses Feishu app credentials from environment variables or the OpenClaw main config to obtain a tenant token. This is expected for sending as a Feishu bot, but users should know the skill can use those credentials.
app_id = os.environ.get("FEISHU_APP_ID")
app_secret = os.environ.get("FEISHU_APP_SECRET")
openclaw_config_path = Path.home() / ".openclaw" / "openclaw.json"Use a Feishu app/bot with only the needed permission, such as im:message:send_as_bot, and confirm which workspace, chat, or user ID is being targeted.
A selected local image can be sent into a Feishu private chat, group chat, or message thread when the skill is invoked with a recipient ID.
The script uploads the provided image to Feishu and sends it as an image message. This matches the skill purpose, but it is an external messaging action.
requests.post(
"https://open.feishu.cn/open-apis/im/v1/images",
...
requests.post(
"https://open.feishu.cn/open-apis/im/v1/messages",Before invoking, verify the image path and destination ID, especially for group chats or sensitive images.