feishu file transfer guide
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This Feishu file-transfer guide is mostly purpose-aligned, but its recommended code disables HTTPS certificate verification while handling app secrets, tokens, and file uploads.
Review the code before using it. The overall Feishu upload/send flow is coherent, but remove the SSL certificate-verification bypass before handling real app secrets, access tokens, or files. Use a limited-permission Feishu app and confirm the recipient and file path before sending.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker could potentially intercept or tamper with the Feishu app secret, tenant access token, or uploaded file contents.
The recommended Python implementation disables HTTPS certificate and hostname validation for Feishu API calls, including token retrieval and file upload.
ssl_context.check_hostname = False ssl_context.verify_mode = ssl.CERT_NONE
Do not use the SSL-disabling lines. Keep Python’s default certificate verification enabled and only connect to the official Feishu API over properly validated HTTPS.
Anyone with these credentials or the resulting token may be able to upload files or send messages according to the Feishu app’s permissions.
The guide requires Feishu app credentials to obtain a tenant_access_token, which is expected for the integration but grants delegated authority in the Feishu tenant.
"app_id": "cli_xxxxxxxxxx", "app_secret": "xxxxxxxxxx"
Use a least-privilege Feishu app, protect the app secret, avoid pasting real secrets into shared chats or logs, and rotate credentials if exposed.
A mistaken file path or recipient ID could send private local files to the wrong Feishu user or tenant location.
The guide reads a local file path and uploads the selected file to Feishu, which is central to the stated purpose but can expose local data if used on the wrong file.
with open(file_path, 'rb') as f:
file_data = f.read()Confirm the exact file path, display name, and recipient open_id before upload or message send; avoid using broad or sensitive paths.