飞书群Webhook发送图片
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill does what it says—uploads a chosen local image to Feishu and posts it to a configured group—but it needs Feishu secrets and will send the selected image outside your machine.
Install only if you intend to let this skill upload local images to Feishu and post them to the configured group. Keep `config.py` private, verify the webhook target, and check the image path before running the command.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the app secret or webhook URL may be able to use the Feishu integration or post to the configured group.
The skill requires Feishu application credentials and a group bot webhook URL. This is expected for uploading and sending images, but these values grant posting/authentication capability and should be protected.
APP_ID = "cli_xxx" ... APP_SECRET = "xxx" ... WEBHOOK_URL = "https://open.feishu.cn/open-apis/bot/v2/hook/xxx"
Use a least-privilege Feishu app, keep `config.py` private, do not commit it to repositories, and rotate the secret or webhook if exposed.
If invoked with the wrong file path or webhook configuration, the wrong image could be sent to a Feishu group.
The script takes a local path argument, uploads that file as an image, and posts it to the configured webhook. This is purpose-aligned, but it is still an action that can publish content to a group.
image_path = sys.argv[1] ... image_key = upload_image(image_path, APP_ID, APP_SECRET) ... result = send_to_webhook(image_key, WEBHOOK_URL)
Invoke it only when the user intends to send that image, verify the image path and target group, and consider adding a confirmation step before posting.
The chosen image leaves the local machine and may become visible in the configured Feishu group.
The selected local file is transmitted to Feishu's image API and then referenced through a webhook message. This external data flow is the core function, but users should treat it as sending the image outside the local environment.
with open(image_path, 'rb') as f: ... requests.post(url, headers=headers, files=files, data=data) ... requests.post(webhook_url, json={"msg_type": "image"Do not use the skill for confidential images unless the Feishu workspace and group are appropriate for that data.
The installed package version depends on the package index state at install time.
The setup installs the `requests` package without pinning a version. This is common and purpose-aligned, but the exact dependency version is not locked by the artifacts.
pip install requests
Install from a trusted package index and consider pinning `requests` to a known-good version if packaging this for repeated use.