feishu file transfer guide
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: feishu-file-transfer-guide Version: 1.0.0 The skill bundle is a technical guide for uploading and sending files via the Feishu (Lark) API, but it contains a significant security vulnerability. Specifically, the provided Python code in SKILL.md explicitly disables SSL certificate verification (using ssl.CERT_NONE), which exposes the agent to man-in-the-middle attacks. While the code appears intended for educational purposes, the inclusion of insecure networking practices and the capability to exfiltrate local files to external API endpoints (open.feishu.cn) warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker could potentially intercept or tamper with the Feishu app secret, tenant access token, or uploaded file contents.
The recommended Python implementation disables HTTPS certificate and hostname validation for Feishu API calls, including token retrieval and file upload.
ssl_context.check_hostname = False ssl_context.verify_mode = ssl.CERT_NONE
Do not use the SSL-disabling lines. Keep Python’s default certificate verification enabled and only connect to the official Feishu API over properly validated HTTPS.
Anyone with these credentials or the resulting token may be able to upload files or send messages according to the Feishu app’s permissions.
The guide requires Feishu app credentials to obtain a tenant_access_token, which is expected for the integration but grants delegated authority in the Feishu tenant.
"app_id": "cli_xxxxxxxxxx", "app_secret": "xxxxxxxxxx"
Use a least-privilege Feishu app, protect the app secret, avoid pasting real secrets into shared chats or logs, and rotate credentials if exposed.
A mistaken file path or recipient ID could send private local files to the wrong Feishu user or tenant location.
The guide reads a local file path and uploads the selected file to Feishu, which is central to the stated purpose but can expose local data if used on the wrong file.
with open(file_path, 'rb') as f:
file_data = f.read()Confirm the exact file path, display name, and recipient open_id before upload or message send; avoid using broad or sensitive paths.