Feishu Send Image
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says—send a chosen local image through Feishu—but it uses your Feishu app secret and bot permissions to do so.
Before installing, make sure you trust the Feishu app credentials being used, confirm the bot has only the needed permissions, and verify the image path and recipient each time you send an image. The provided code is simple and purpose-aligned, but the metadata should better advertise its curl/python3 requirements and credential use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong recipient or image path is supplied, the bot may send the image to the wrong Feishu user or group.
The skill intentionally uses direct Feishu API calls instead of the built-in message tool. This is disclosed and purpose-aligned, but it means the script can send bot messages to any supplied Feishu receive_id.
This skill bypasses that limitation by calling Feishu Bot API directly.
Use only verified recipient IDs and image paths, and consider adding a confirmation step before sending to group chats or external recipients.
Anyone able to use the app secret with the required Feishu permissions could send bot messages and upload images through that Feishu app.
The skill relies on a local Feishu app secret to obtain a tenant access token and act as the Feishu bot. This is expected for the stated function, but it is sensitive account authority.
Read `~/.openclaw/openclaw.json` and extract: - `channels.feishu.accounts.default.appId` - `channels.feishu.accounts.default.appSecret`
Keep the app secret protected, grant only the needed Feishu permissions, and avoid exposing secrets in logs, transcripts, or shared command histories.
The chosen image becomes available to Feishu for delivery as a chat image, so sensitive screenshots or charts could be shared if selected by mistake.
The script uploads the selected local image file to Feishu's image API. This external data flow is disclosed and central to the purpose, but users should understand the file leaves the local machine.
curl -s -X POST 'https://open.feishu.cn/open-apis/im/v1/images' ... -F "image=@$IMAGE_PATH"
Confirm that the selected image is appropriate to upload and send, and avoid using broad or ambiguous file paths.
The skill may fail or behave differently on systems without curl and python3, even though the registry requirements do not advertise those prerequisites.
The README declares runtime dependencies, while the registry metadata says there are no required binaries and there is no install spec. This may make the runtime requirements less visible at install time.
- 系统已安装 `curl` 和 `python3`
Declare curl and python3 in the skill metadata or installation requirements so users can review prerequisites before installing.