Feishu Image Sender 飞书发图指南
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is a disclosed Feishu bot messaging guide; it can send messages and upload selected images/files, so users should verify recipients and content before use.
Use this skill when you intentionally want the Feishu bot to send a specific message, image, or file. Double-check the target user/group and file path before sending, and avoid sending sensitive files unless they are meant for that Feishu conversation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong recipient or file path, the bot could send unintended content to a Feishu user or group.
The skill instructs the agent to call a messaging tool that can send content and upload a local file to Feishu. This is expected for the stated purpose, but it is a real external side effect.
message(action=send, channel=feishu, target=<chat_id>, filePath="/absolute/path/to/image.jpg")
Confirm the recipient, chat ID, file path, and caption before sending, especially for sensitive images or files.
The connected bot can upload media and send messages under its bot identity in the configured Feishu workspace.
The skill discloses Feishu permissions for uploading IM resources and sending messages as a bot. These permissions match the purpose, but they grant authority in a Feishu tenant.
`im:resource` ... `im:message` ... `im:message:send_as_bot` ... All three are currently granted on this installation.
Install only if you trust this skill for Feishu messaging, and ensure the bot's Feishu scopes and accessible chats are limited to what you need.
There is less publisher/source context to rely on, but no hidden helper code or install-time execution is present in the supplied artifacts.
The package has limited provenance information, although the provided artifacts contain only documentation and no executable code.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
If your workspace requires trusted provenance, verify the publisher before enabling the skill.