Feishu Assistant
AdvisoryAudited by VirusTotal on Apr 5, 2026.
Overview
Type: OpenClaw Skill Name: feishu-assistant Version: 1.1.1 The feishu-assistant skill is a legitimate tool for sending images to the Feishu platform. The script `scripts/send_image.py` correctly implements its stated functionality, including credential management from environment variables or the local `~/.openclaw/openclaw.json` config, image type validation using magic bytes, and rate limiting. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and invoked, the skill can act through the configured Feishu bot account to upload images and send messages to specified Feishu recipients.
The script uses Feishu app credentials from environment variables or the OpenClaw main config to obtain a tenant token. This is expected for sending as a Feishu bot, but users should know the skill can use those credentials.
app_id = os.environ.get("FEISHU_APP_ID")
app_secret = os.environ.get("FEISHU_APP_SECRET")
openclaw_config_path = Path.home() / ".openclaw" / "openclaw.json"Use a Feishu app/bot with only the needed permission, such as im:message:send_as_bot, and confirm which workspace, chat, or user ID is being targeted.
A selected local image can be sent into a Feishu private chat, group chat, or message thread when the skill is invoked with a recipient ID.
The script uploads the provided image to Feishu and sends it as an image message. This matches the skill purpose, but it is an external messaging action.
requests.post(
"https://open.feishu.cn/open-apis/im/v1/images",
...
requests.post(
"https://open.feishu.cn/open-apis/im/v1/messages",Before invoking, verify the image path and destination ID, especially for group chats or sensitive images.