ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Send Files

飞书文件批量发送技能,支持机器人触发和命令行调用,自动配置,零依赖

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 83 · 1 current installs · 1 all-time installs
by@zhangxusong637
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement a Feishu file-send capability (search workspace, upload to open.feishu.cn, send file message), which matches the name/description. However the registry metadata lists no required config paths or credentials, while the code explicitly reads ~/.openclaw/openclaw.json for channels.feishu (appId/appSecret) and reads/writes workspace config files. The skill therefore uses credentials/config that were not declared in the manifest.
Instruction Scope
Runtime instructions and the code align: the skill supports robot triggers and CLI use, recursive search of the workspace, absolute-path sending, and interactive selection. Important behavioral details in the code (searches ~/.openclaw/workspace, allows absolute paths anywhere on disk, auto-creates workspace config.json) are within the stated purpose but are powerful — the skill can read arbitrary files accessible to the user and send them to Feishu, and the CLI defaults to sending to a personal OpenID if --to is omitted (risk of accidental data exposure).
Install Mechanism
No remote download or install steps are present; the package is instruction-only plus a local Node.js script. No external packages or third-party archives are fetched or extracted during install, which lowers supply-chain risk.
!
Credentials
The package does not declare any required environment variables or primary credentials, yet the code requires Feishu appId/appSecret stored in ~/.openclaw/openclaw.json (channels.feishu) to obtain tenant_access_token and perform uploads/messages. It also reads/writes workspace config.json and logs. Not declaring these config/credential dependencies is an incoherence and raises risk (the skill will access sensitive credentials/configs).
Persistence & Privilege
The skill does not request 'always' or elevated platform privileges. It writes logs under its directory and may create or update workspace/config.json in the OpenClaw workspace. This is normal for local configuration but should be noted: it will persist a default recipient and logs on disk.
What to consider before installing
What to check before installing: 1) Inspect ~/.openclaw/openclaw.json to confirm which Feishu appId/appSecret would be used and ensure those credentials have minimal permissions. 2) Review the index.js code (already included) to confirm you trust it to read files under ~/.openclaw/workspace and any absolute paths the user supplies — the skill can send any readable file. 3) If you only want limited scope, run the script as an unprivileged user and keep sensitive files out of the workspace/home directory accessible to the skill. 4) Consider requiring the skill author to: declare required config paths/credentials in metadata, and add safeguards (confirmation prompts before sending files outside workspace, safer defaults for CLI --to). 5) If unsure, test in a sandboxed environment or reject installation until the manifest and documentation explicitly list the config/credential dependencies.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk979vy3c8pn6sr017yrvzz910x83n0yn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📁 Clawdis
Binsnode

SKILL.md

feishu-send-files 技能说明

基础信息

  • 技能名称:feishu-send-files
  • 触发指令:发文件 / 帮我发 / 发送文件 / 自然语言
  • 运行入口:index.js
  • 日志路径:技能目录下 logs/
  • 依赖:无外部依赖(仅 Node.js 内置模块)

⚠️ 重要:两种触发模式的区别

模式 1:机器人触发(推荐)

在群里@机器人 或 私聊@机器人,直接说:

发文件 /path/to/file.pptx
发一下这个 PPT

自动识别发送目标

  • 群里@机器人 → 发到当前群
  • 私聊@机器人 → 发到私聊

模式 2:命令行调用(手动指定)

在终端运行

cd /home/node/.openclaw/workspace/skills/feishu-send-files
node index.js --file "/path/to/file.pptx" --to "chat:群聊 ID"

⚠️ 必须手动指定发送目标

  • --to "chat:oc_xxx" → 发到群聊
  • --to "open_id:ou_xxx" → 发到个人
  • 不传 --to 参数 → 默认发到个人(容易发错!)

功能描述

飞书文件发送技能,支持三种模式:

1. 精确路径模式(机器人触发)

发文件 /home/node/test.pptx

2. 文件名搜索模式(机器人触发)

发文件 test.pdf

自动在 workspace 目录查找。

3. 模糊匹配 + 交互式选择(机器人触发)

把 workspace 里面那个 PPT 文件发给我
发一下 Excel 文件

机器人搜索→展示列表→让你选择→发送。

核心特性

  • ✅ 递归搜索 workspace 目录(3 层深度)
  • ✅ 智能关键词提取(中文 + 英文)
  • ✅ 自动文件类型识别(12 种常见格式)
  • ✅ 交互式选择(数字/文件名)
  • 批量发送(多文件选择) - 回复 1,2,3all
  • ✅ 文件大小显示
  • ✅ 完整日志记录
  • ✅ 错误处理和状态反馈

触发规则

{
  "triggers": [
    {"type": "exact_match", "value": "发文件"},
    {"type": "prefix_match", "value": "发文件 "},
    {"type": "mention", "value": "发文件"},
    {"type": "prefix_match", "value": "帮我发"},
    {"type": "prefix_match", "value": "发一下"},
    {"type": "prefix_match", "value": "把文件"},
    {"type": "prefix_match", "value": "发送文件"},
    {"type": "prefix_match", "value": "发这个文件"},
    {"type": "prefix_match", "value": "发那个文件"},
    {"type": "contains", "value": "发文件"},
    {"type": "contains", "value": "发送文件"}
  ]
}

快速使用指南

✅ 推荐:群里@机器人发送

@机器人 发文件 /path/to/file.pptx
@机器人 发一下这个 PPT

优点:自动识别群聊/私聊,不会发错!

⚠️ 命令行调用(需要手动指定目标)

# 发到群聊
node index.js --file "/path/to/file.pptx" --to "chat:oc_群聊 ID"

# 发到个人
node index.js --file "/path/to/file.pptx" --to "open_id:ou_用户 ID"

# 不传 --to 参数 → 默认发到个人(容易发错!)

命令行参数说明

参数说明示例
--file文件路径(可多次)--file "/path/a.pptx" --file "/path/b.pdf"
--files多个文件(逗号分隔)--files "/path/a.pptx,/path/b.pdf"
--search搜索关键词--search "PPT"
--to必须指定发送目标--to "chat:oc_xxx"--to "open_id:ou_xxx"

使用示例

精确路径(机器人触发)

发文件 /home/node/test.pptx
@机器人 发文件 /path/to/data.xlsx

文件名搜索(机器人触发)

发文件 test.pdf
帮我发一下 report.docx

模糊匹配(机器人触发)

把 workspace 里面那个 PPT 文件发给我
发一下 Excel 文件
帮我发会议纪要
发送那个 PDF

机器人响应

找到 3 个匹配文件,请选择:

1. test.pptx (2.3 MB)
2. 交易报告.pptx (1.8 MB)
3. 会议纪要.pptx (856 KB)

回复数字选择(如:1)或输入多个数字(如:1,2,3)或输入 "all" 发送全部

批量发送示例

用户:发 PPT 文件
机器人:找到 3 个文件...请选择
用户:1,3
机器人:✅ 发送完成!成功 2/2 个文件

快速排错

问题解决方法
文件发错地方(发到个人而不是群里)机器人触发时自动识别;命令行调用必须加 --to "chat:群聊 ID"
文件名异常使用最终版 index.js
无日志赋权 logs 目录:chmod -R 777 logs
机器人无响应重启 OpenClaw,检查文件路径
发送失败检查飞书权限与 appId/appSecret 配置
token 获取失败检查 appId/appSecret 是否正确
文件上传失败检查文件大小(≤30MB)和网络
未找到匹配文件检查关键词是否准确,或用绝对路径
多个匹配文件机器人会列出列表,回复数字或文件名选择

最佳实践

推荐:在群里@机器人发送文件(自动识别群聊) ❌ 避免:命令行调用时忘记加 --to 参数(会发到个人)

技术实现

  • Token 获取:使用 tenant_access_token 内部门户 API
  • 文件上传:multipart/form-data 表单上传到飞书文件接口
  • 消息发送:使用 file_key 发送文件消息
  • 日志记录:同步追加写入,确保不丢失
  • 路径提取:智能识别绝对路径、相对路径、workspace 目录文件
  • 模糊搜索:递归搜索 + 关键词匹配 + 扩展名过滤
  • 交互式选择:展示文件列表,等待用户选择

权限要求

  • im:message:send_as_bot
  • im:message:send_to_chat
  • im:message:send_to_open_id

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…