ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Send Image

Send images directly in Feishu chat as native image messages (not file attachments). Use when: need to send a generated image, chart, screenshot, or any loca...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 106 · 0 current installs · 0 all-time installs
byPL Uncle@jasonzhang2015
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the implementation: the script calls Feishu endpoints to obtain a tenant token, upload an image, and send an image message. The required arguments (image path, receive_id, app_id, app_secret) are consistent with the stated purpose.
Instruction Scope
SKILL.md and README explicitly tell the user/agent to read ~/.openclaw/openclaw.json to obtain appId/appSecret. The script itself does not automatically read that file (it expects credentials as arguments), but the instructions point the agent toward a specific local config file. This is within the skill's purpose but is a scope mismatch versus the declared metadata (which claimed no config paths).
Install Mechanism
No install spec (instruction-only skill with an included shell script). No remote downloads or archive extraction. This is low-risk for installation mechanics.
!
Credentials
The skill requires Feishu app_id and app_secret (sensitive secrets) to function — that's appropriate for the integration, but the registry metadata lists no required env vars or config paths. README lists preconditions (curl and python3) which are not declared in metadata. The SKILL.md suggests reading ~/.openclaw/openclaw.json to obtain credentials; that file may contain other secrets and was not declared as a required config path. Also the provided usage sends secrets on the command line (argv), which can be exposed via process listings — a security concern.
Persistence & Privilege
The skill does not request persistent/always-on presence, does not modify other skills or system-wide configs, and has no elevated privileges declared. Autonomous invocation remains possible (platform default) but is not combined with other high-risk factors here.
What to consider before installing
This skill implements the advertised feature (sending inline Feishu images) and uses legitimate Feishu endpoints. Before installing: (1) note the package metadata omits runtime requirements — the script needs curl and python3 and the README/skill instructs reading ~/.openclaw/openclaw.json for app_id/app_secret; verify that reading that file is acceptable in your environment. (2) Treat app_id/app_secret as sensitive: avoid passing them on the command line (process lists can expose them); prefer using a secure credential mechanism or a protected config file with restricted permissions. (3) Confirm the Feishu app only has the minimum permissions required (im:message:send_as_bot and im:resource). (4) Inspect the script in your environment before running and run it in a context that limits exposure of credentials and of any untrusted images. If you want higher assurance, ask the author to declare required binaries and config paths in the skill metadata and to provide an option that reads credentials from a secure env var or a restricted config file rather than command-line arguments.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979nebnxn9bf0qrc6xz1dcw1h83630y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Feishu Send Image

Send local image files as native Feishu image messages via the Feishu Bot API.

Why This Skill Exists

OpenClaw's message tool with filePath, media, or buffer parameters only sends file attachments in Feishu, not inline images. This skill calls the Feishu API directly to send proper image messages.

Quick Usage

Run the script:

bash scripts/feishu_send_image.sh <image_path> <receive_id> <app_id> <app_secret> [receive_id_type]

Arguments

ArgDescription
image_pathLocal path to image (png/jpg/gif/webp)
receive_idFeishu open_id (user) or chat_id (group)
app_idFeishu app ID from ~/.openclaw/openclaw.jsonfeishu.accounts.default.appId
app_secretFeishu app secret from ~/.openclaw/openclaw.jsonfeishu.accounts.default.appSecret
receive_id_typeopen_id (default) or chat_id

Example

bash scripts/feishu_send_image.sh /tmp/chart.png \
  ou_38470740452f6083ce189b7ddec722f8 \
  cli_a92c368412f9dcb1 \
  7uM7aLqeqYqm0Fsy0IP5QhOyTBSwxlfT

Getting Credentials

Read ~/.openclaw/openclaw.json and extract:

  • channels.feishu.accounts.default.appId
  • channels.feishu.accounts.default.appSecret

The receiver's open_id comes from inbound message metadata (sender_id).

How It Works

  1. Get tokenPOST /auth/v3/tenant_access_token/internal with appId/appSecret
  2. Upload imagePOST /im/v1/images with image_type=message, returns image_key
  3. Send messagePOST /im/v1/messages with msg_type=image and the image_key

Output

On success: OK: image_key=<key> message_id=<id> On failure: prints error and exits with code 1.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…