ClawHub

Feishu Image Sender 飞书发图指南

v1.0.0

Feishu IM messaging operations: send messages, images, files to users and groups via Bot API. Activate when user mentions: 飞书发图、发送图片、飞书消息、im:resource、image_k...

1· 559·0 current·0 all-time
byjiao yang@inuyashayang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Skill name/description (Feishu image/file sending) matches the instructions (use the platform 'message' tool, two-step upload via /im/v1/images then /im/v1/messages). However the SKILL.md instructs using absolute local file paths (filePath="/absolute/path/to/image.jpg"), which implies the agent will need read access to user files; the registry metadata lists no required config paths. This is explainable (sending an image legitimately requires reading the image file) but is a small mismatch between declared metadata and the runtime behavior described.
Instruction Scope
Instructions are narrowly scoped to Feishu IM operations: call the message tool, upload images via the upload API, and then send messages with image_key. The guide documents failure modes, error codes, and distinguishes webhook bots vs Bot App. It does not instruct the agent to read unrelated system files, exfiltrate data, or contact endpoints outside Feishu APIs (aside from referencing official docs).
Install Mechanism
No install spec or code files — instruction-only. No downloads or third-party packages are proposed, so there is no install-time risk.
Credentials
The skill declares no required environment variables or credentials; it relies on the platform's Feishu channel having im:resource, im:message, and im:message:send_as_bot scopes. The SKILL.md mentions tenant_access_token lifecycle (TTL ~2h) and that OpenClaw refreshes tokens automatically; requesting those Feishu scopes is appropriate for the described functionality. No unrelated secrets are requested.
Persistence & Privilege
Skill is not always-enabled and has no install-time persistence. It does not request modification of other skills or system-wide settings. Autonomous invocation is allowed by platform default but is not combined with other suspicious privileges.
Assessment
This skill appears to do what it says: help send images through a Feishu Bot App. Before installing, confirm that your OpenClaw Feishu channel is configured as a Bot App (has im:resource, im:message, im:message:send_as_bot) rather than a webhook. Be aware that the skill's recommended usage expects the agent to read local image file paths you provide (absolute filePath), so avoid sending sensitive images you would not want the agent or the configured bot to access. Finally, if you operate across multiple Feishu tenants, note image_key is tenant-bound and token expiry can cause intermittent failures — verify app_id/app_secret are correct in your channel configuration.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ccwsft3k5qzan7az6y1fwh824e6w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments