ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

飞书图片消息

v1.0.0

飞书图片消息操作技能,当触发飞书发送图片时自动调用本技能。 支持上传图片、发送图片消息、获取图片内容。 Activate when user mentions: 飞书发图、发送图片、上传图片、获取图片、下载图片、image_key。

1· 432·1 current·1 all-time
byBING@imbing
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code implements upload/send/get/view for Feishu images which matches the skill name and description. However, the skill metadata declared no required credentials or config paths, while the script actually requires Feishu app_id/app_secret stored in the OpenClaw config (~/.openclaw/openclaw.json). That credential dependency is reasonable for Feishu integration but is not declared.
!
Instruction Scope
SKILL.md shows command-line usage only and does not state that the script will read the user's OpenClaw configuration file for credentials. The script's load_feishu_config() reads ~/.openclaw/openclaw.json and expects appId/appSecret — this file access is not documented in the metadata (config paths = none).
Install Mechanism
No install spec (instruction-only) and no downloads are present. The skill is provided as a script file; nothing in the package attempts to install external code or fetch third-party archives.
!
Credentials
The package declares no required environment variables or primary credential, yet the script requires Feishu credentials (app_id/app_secret) read from a local OpenClaw config file. This is a mismatch: the skill will access sensitive credentials that the registry metadata does not surface. The number of secrets requested is appropriate for the stated purpose, but their presence and location should be declared.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and runs only when invoked. It reads and writes files provided by the user (uploads local images, saves downloaded images) which is expected behavior.
What to consider before installing
Before installing or enabling: 1) Know that the script reads your OpenClaw config at ~/.openclaw/openclaw.json to obtain Feishu app_id/app_secret — ensure you are comfortable granting the skill access to those credentials and that the file only contains expected values. 2) The script disables SSL verification (SSL_CONTEXT.verify_mode = ssl.CERT_NONE), which can expose network traffic to man-in-the-middle attacks; consider removing or fixing this behavior before use. 3) Ask the publisher to update the metadata/SKILL.md to explicitly declare the config path and credential requirements (or switch to using well-scoped environment variables) so you can make an informed trust decision. 4) If you cannot review or trust the code origin, run the script in a restricted environment (sandbox or container) and avoid using production credentials; create a Feishu test app with minimal scopes to limit blast radius.

Like a lobster shell, security has layers — review code before you run it.

latestvk979d4nw6j08tcnz685s49yeb58273n8
432downloads
1stars
1versions
Updated 7h ago
v1.0.0
MIT-0
BING@imbing
latest
Download

飞书图片消息操作技能

本技能提供飞书图片消息的完整操作能力,包括上传、发送、获取图片。

功能

功能命令说明
上传图片feishu-img-msg upload上传本地图片到飞书,返回 image_key
发送图片feishu-img-msg send发送图片到指定会话(支持文件路径或 image_key)
获取图片feishu-img-msg get下载飞书图片到本地
查看图片feishu-img-msg view获取图片信息(返回 base64 供 AI 查看)

快速使用

1. 发送本地图片到会话

# 直接发送本地图片文件
python3 ~/.openclaw/workspace/skills/feishu-img-msg/scripts/feishu_image.py \
  send \
  --chat-id "oc_xxxxx" \
  --file "/path/to/image.jpg"

2. 上传图片获取 image_key

# 上传图片,返回 image_key
python3 ~/.openclaw/workspace/skills/feishu-img-msg/scripts/feishu_image.py \
  upload \
  --file "/path/to/image.png"

3. 用 image_key 发送图片

# 使用已有的 image_key 发送
python3 ~/.openclaw/workspace/skills/feishu-img-msg/scripts/feishu_image.py \
  send \
  --chat-id "ou_xxxxx" \
  --image-key "img_xxxxx"

4. 下载图片

# 下载飞书图片到本地
python3 ~/.openclaw/workspace/skills/feishu-img-msg/scripts/feishu_image.py \
  get \
  --image-key "img_xxxxx" \
  --output "/path/to/save.jpg"

5. 查看图片内容(AI 可读)

# 获取图片 base64,用于 AI 分析
python3 ~/.openclaw/workspace/skills/feishu-img-msg/scripts/feishu_image.py \
  view \
  --image-key "img_xxxxx"

参数说明

send 命令

参数必填说明
--chat-id接收者 ID(群聊 oc_ 开头,用户 ou_ 开头)
--file二选一本地图片文件路径
--image-key二选一已上传的 image_key
--chat-type会话类型:group(默认) 或 user
--account飞书账户名(默认 main)

upload 命令

参数必填说明
--file本地图片文件路径
--account飞书账户名(默认 main)

get 命令

参数必填说明
--image-key图片的 image_key
--output保存路径
--account飞书账户名(默认 main)

view 命令

参数必填说明
--image-key图片的 image_key
--account飞书账户名(默认 main)

支持的图片格式

  • JPEG (.jpg, .jpeg)
  • PNG (.png)
  • GIF (.gif)
  • BMP (.bmp)
  • WebP (.webp)

文件大小限制:单张图片最大 30MB

权限要求

Scope用途
im:resource上传图片、获取图片
im:message发送消息
im:message:send_as_bot以机器人身份发送

常见问题

图片发送失败

  1. 检查 chat-id 类型

    • 群聊 ID 以 oc_ 开头,chat_type 设为 group
    • 用户 ID 以 ou_ 开头,chat_type 设为 user

  2. 检查图片格式

    • 支持常见图片格式
    • 确保文件未损坏

  3. 检查权限

    • 机器人需要已加入目标群聊
    • 机器人需要与用户有单聊会话

token 过期

脚本会自动刷新 tenant_access_token,如仍报错:

  • 错误码 99991400 - token 过期,稍后重试
  • 错误码 99991401 - token 无效,检查 app 配置

参考文档

Comments

Loading comments...