Feishu Assistant
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and invoked, the skill can act through the configured Feishu bot account to upload images and send messages to specified Feishu recipients.
The script uses Feishu app credentials from environment variables or the OpenClaw main config to obtain a tenant token. This is expected for sending as a Feishu bot, but users should know the skill can use those credentials.
app_id = os.environ.get("FEISHU_APP_ID")
app_secret = os.environ.get("FEISHU_APP_SECRET")
openclaw_config_path = Path.home() / ".openclaw" / "openclaw.json"Use a Feishu app/bot with only the needed permission, such as im:message:send_as_bot, and confirm which workspace, chat, or user ID is being targeted.
A selected local image can be sent into a Feishu private chat, group chat, or message thread when the skill is invoked with a recipient ID.
The script uploads the provided image to Feishu and sends it as an image message. This matches the skill purpose, but it is an external messaging action.
requests.post(
"https://open.feishu.cn/open-apis/im/v1/images",
...
requests.post(
"https://open.feishu.cn/open-apis/im/v1/messages",Before invoking, verify the image path and destination ID, especially for group chats or sensitive images.