ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Assistant

v1.1.1

飞书助手,用于发送图片到飞书平台。当用户需要将生成的图片发送到飞书(私聊或群聊)时使用此技能。支持通过 user_id、open_id 或 chat_id 发送图片。

0· 109·1 current·1 all-time
bykinggu@gushenjie

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for gushenjie/feishu-assistant.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Feishu Assistant" (gushenjie/feishu-assistant) from ClawHub.
Skill page: https://clawhub.ai/gushenjie/feishu-assistant
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install feishu-assistant

ClawHub CLI

Package manager switcher

npx clawhub@latest install feishu-assistant
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (send images to Feishu) matches the included script: it uploads an image and sends or replies to messages via the official open.feishu.cn API endpoints. Needing an App ID/App Secret is expected for this capability, but the registry metadata lists no required env vars or primary credential — that's inconsistent with the actual code and SKILL.md.
!
Instruction Scope
SKILL.md and scripts instruct the agent to auto-read credentials from environment variables or from the OpenClaw main config at ~/.openclaw/openclaw.json. This is reasonable for convenience, but the instructions give the skill implicit permission to read a user’s global OpenClaw config (not declared in metadata) which may contain other channels/credentials. The script only calls Feishu endpoints (no other external endpoints) and only uploads the provided image, so there is no obvious exfiltration to unknown domains.
Install Mechanism
There is no install spec (instruction-only plus a small Python script). Nothing is downloaded from external or untrusted URLs. The script uses the requests library which may need to be present in the runtime environment but no installer is provided — low install-surface risk.
!
Credentials
The code requires FEISHU_APP_ID and FEISHU_APP_SECRET (or the OpenClaw config file) to operate, which is appropriate for a Feishu integration. However the skill metadata declares 'Required env vars: none' and 'Required config paths: none' while the runtime instructions and script explicitly read those values. This mismatch is the main proportionality concern because the skill will access user credentials/config without that being declared in the registry metadata.
Persistence & Privilege
The skill is not marked always:true, does not modify other skills or system-wide settings, and does not persist new credentials beyond reading them. Autonomous invocation is allowed (platform default) but combined with the above undeclared credential access it increases the need for caution.
What to consider before installing
This skill's code does what it says (uploads and sends images to Feishu), but it will look for FEISHU_APP_ID / FEISHU_APP_SECRET or read your ~/.openclaw/openclaw.json even though the registry metadata claims 'no required config'. Before installing, review and confirm you are comfortable with the skill reading your OpenClaw config and providing it Feishu credentials. Consider: (1) Inspect ~/.openclaw/openclaw.json to see what will be read; (2) Prefer setting FEISHU_APP_ID/FEISHU_APP_SECRET in a dedicated environment rather than relying on a global OpenClaw config; (3) If you have sensitive credentials in your OpenClaw config, avoid granting this skill access or run it in an isolated account/environment; (4) Optionally run the script locally first to validate behaviour and network calls, and ensure you trust the skill owner before giving it production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk976k396b3b48wacn2wegt4m0n84843e
109downloads
0stars
3versions
Updated 3w ago
v1.1.1
MIT-0
kinggu@gushenjie
latest
Download

Feishu Assistant

发送图片到飞书平台(私聊或群聊)。

凭证配置(0配置,开箱即用)

✅ 推荐:OpenClaw 主配置(无需任何操作)

如果你的 OpenClaw 已经配置了飞书机器人,自动读取,无需任何操作

技能会级联读取飞书凭证,优先级:

  1. 环境变量 FEISHU_APP_ID / FEISHU_APP_SECRET
  2. OpenClaw 主配置 ~/.openclaw/openclaw.json 中的飞书配置
  3. 以上都没有 → 脚本会报"未配置飞书凭证"错误

获取飞书配置

  1. 访问 https://open.feishu.cn/ 创建企业自建应用
  2. 获取 App ID 和 App Secret
  3. 开启权限:im:message:send_as_bot
  4. 将应用添加到群聊(获取 chat_id)

使用方法

发送图片到群聊

python3 scripts/send_image.py /path/to/image.png --chat-id chat_xxxxx

发送图片到用户(私聊)

# 通过 user_id
python3 scripts/send_image.py /path/to/image.png --user-id u_xxxxx

# 通过 open_id
python3 scripts/send_image.py /path/to/image.png --open-id o_xxxxx

回复某条消息(发送到同一对话)

python3 scripts/send_image.py /path/to/image.png --message-id oxxxxxx

获取 ID 的方法

ID 类型格式获取方式
群聊 IDchat_xxxxx飞书群设置 → 群机器人 → 复制 Chat ID
用户 IDu_xxxxx企业内部用户 ID,通过 API 或管理后台获取
Open IDo_xxxxx开放平台用户 ID,可通过机器人获取
消息 IDo_xxxxx消息事件中携带的 message_id

集成其他技能

当用户说"发送到飞书"或"发到群里"时,调用此技能发送图片。

脚本路径:

skills/feishu-assistant/scripts/send_image.py

Comments

Loading comments...