Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
飞书图片发送技能
v1.0.2使用自有飞书应用配置,上传并发送本地图片到指定飞书用户或群聊,支持PNG/JPG/GIF/WEBP格式。
⭐ 0· 71·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the code: the script implements the two-step Feishu flow (tenant token → upload image → send message) against open.feishu.cn. No unrelated services, binaries, or credentials are requested by the registry metadata.
Instruction Scope
SKILL.md and README instruct users to edit credentials in scripts/send.py and reference an allow-list file (feishu-axiang-allowFrom.json). The included script performs the token/upload/send flow but does not read or enforce the referenced allowFrom file — documentation and implementation are inconsistent. The instructions also recommend putting credentials into the script (not ideal) rather than environment variables.
Install Mechanism
No install spec; this is instruction-only plus a Python script. No downloads or archive extraction. Risk from install mechanism is low.
Credentials
The registry metadata lists no required env vars, but the script requires Feishu AppID/AppSecret to function (currently present as placeholders in APP_CONFIG). Credentials are expected to be placed directly in the script per README/SKILL.md rather than declared environment variables — this is a security hygiene concern but not an incoherence with the stated purpose.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no system persistence; it runs only when invoked.
Assessment
This skill appears to be what it says: a simple Feishu image sender. Before installing or running it, do the following: (1) Replace the placeholder APP_CONFIG.app_id and app_secret with credentials you control, but avoid embedding secrets in code — prefer environment variables or a protected config file. (2) Note the README mentions an allow-list file, but the script does not enforce it — if you need recipient restrictions, add enforcement or verify targets yourself. (3) Don’t commit the script with real AppID/AppSecret to public repos. (4) Run the script in a trusted environment and grant the Feishu app only the minimum API scopes required. If you want a stricter review, request that the author remove hardcoded credentials and implement the documented allow-list check (or explain why it was omitted).Like a lobster shell, security has layers — review code before you run it.
feishuvk97adqphr08hp73y8jb90wqcfx83v5zbimagevk97adqphr08hp73y8jb90wqcfx83v5zblarkvk97adqphr08hp73y8jb90wqcfx83v5zblatestvk97adqphr08hp73y8jb90wqcfx83v5zbsendvk97adqphr08hp73y8jb90wqcfx83v5zb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.