Feishu Messaging
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: feishu-messaging Version: 0.0.3 The OpenClaw skill bundle for Feishu messaging appears benign. It provides Python code examples for interacting with the Feishu API to send messages, upload images/files, and manage chat members using the `lark_oapi` SDK. While the skill demonstrates local file access for uploading images and videos, this is a legitimate function for a messaging skill and there is no evidence of intent to exfiltrate sensitive data or execute malicious commands. The SKILL.md instructions are descriptive and do not contain any prompt injection attempts with malicious objectives.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are supplied, the agent can act as the Feishu bot within the granted scopes.
The skill requires Feishu app credentials and bot permissions to send messages and read chat/member information. This matches the stated purpose, but it grants meaningful workspace authority.
`im:message:send_as_bot`, `im:chat:readonly`, `im:chat.members:read` ... `.app_id("YOUR_APP_ID")` ... `.app_secret("YOUR_APP_SECRET")`Use a dedicated Feishu app with least-privilege scopes, rotate secrets if exposed, and avoid giving broader tenant permissions than needed.
A mistaken recipient, message body, or file choice could disclose information to the wrong Feishu user or chat.
The documented workflow can send messages and upload local files to Feishu. This is expected for a messaging skill, but these actions are externally visible and may be hard to undo.
`client.im.v1.message.create(request)` ... `file = open("飞书20260129-173520.mp4", "rb")` ... `client.im.v1.file.create(request)`Require clear user approval for recipients, message content, and file paths before sending or uploading through Feishu.