Feishu Send File 1.2.1
v1.0.0通过飞书机器人稳定发送本地普通文件或本地图片。用于现有一等工具无法直接完成“发送本地文件附件”时,或本地图片经常规消息链路发送后在飞书里只显示路径文本而不显示图片本体时。普通文件走 `im/v1/files -> file_key -> msg_type=file`,图片走 `im/v1/images -> im...
⭐ 0· 11·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The name, description, SKILL.md, and the two Python scripts all consistently implement sending local files/images to Feishu/Lark via the official im/v1/files and im/v1/images flows. However, the skill declares no required binaries while both scripts invoke curl via subprocess; the scripts therefore implicitly require curl to be available.
Instruction Scope
SKILL.md stays on task: it documents when to use the scripts, required parameters, and the Feishu/Lark API steps. The scripts only read the local file paths you pass and make network calls to official Feishu/Lark endpoints; they do not reference unrelated system files or external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec (no packages downloaded or archives extracted). That lowers installation risk. The only operational dependency is curl invoked by the scripts; no installer behavior was found.
Credentials
No environment variables or persistent credentials are requested, which is consistent with passing app_id/app_secret as script arguments. However, passing app_secret (and app_id) on the command line exposes them in process listings (ps) on multi-user systems. The scripts obtain tenant_access_token from the official auth endpoint and only send data to Feishu/Lark; they do not request unrelated credentials or external endpoints.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It has normal transient behavior (invoked scripts) and no elevated persistence.
Assessment
This skill appears to do what it says: upload local files/images to Feishu/Lark using the official APIs. Before installing or running it, note these practical points: (1) The Python scripts call curl but the skill metadata does not declare curl as a required binary — ensure curl is available on the host. (2) The scripts expect app_id and app_secret as command-line arguments; supplying secrets on the CLI can expose them to other local users via process listings. Prefer running in a trusted environment or modifying the scripts to read secrets from a secured file or environment variable if you need tighter secrecy. (3) Confirm the app_id/app_secret you supply have only the permissions required for sending messages/files. (4) The scripts only contact official open.feishu.cn or open.larksuite.com endpoints and do not phone home elsewhere. If any of these points are unacceptable (e.g., you cannot expose secrets on the command line), request an updated version that avoids CLI-secret exposure and explicitly documents required binaries.Like a lobster shell, security has layers — review code before you run it.
latestvk971wsbhz1btj1gr9rk8vmrev584cgwe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.