Feishu Webhook
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: feishu-webhook Version: 1.2.4 The skill is a straightforward utility for sending Markdown-formatted messages to Feishu via webhooks. The core logic in `scripts/send-feishu.py` uses standard Python libraries to sign requests and transmit data to a user-configured endpoint. There are no indicators of malicious intent, such as unauthorized data exfiltration, command injection, or obfuscated code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anything the user or agent passes into the script may be posted to a Feishu channel or DM.
The script sends all provided stdin content to the configured Feishu webhook. This is the intended function, but it is an external message/data flow.
content = sys.stdin.read().strip() ... conn.request("POST", u.path, json.dumps(payload, ensure_ascii=False).encode(), {"Content-Type": "application/json"})Only send content intended for that Feishu destination, and avoid including secrets or private data unless the channel is appropriate.
Whoever can use the configured environment can post messages through that Feishu bot/webhook.
The skill documents use of a webhook URL and secret, and the code reads them from environment variables. These credentials are expected for Feishu webhook posting, though the registry metadata lists no required env vars or primary credential.
"FEISHU_WEBHOOK_URL": "https://open.feishu.cn/open-apis/bot/v2/hook/xxx", "FEISHU_WEBHOOK_SECRET": "your_secret"
Configure a least-privilege Feishu webhook, protect the webhook URL and secret, and rotate them if they are exposed.