Feishu File Delivery
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: feishu-file-delivery Version: 2.0.0 The skill bundle instructs the AI agent to output absolute local file paths to trigger an automatic upload to Feishu and suggests using shell commands (ls -la) for file verification in agents/delivery.agent.md. While these capabilities are aligned with the stated purpose of file delivery, the design pattern is inherently risky as it lacks output sanitization or directory restrictions, creating a significant data exfiltration vector if the agent is prompted to reveal sensitive system files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any existing local file path included in the final Feishu reply may be uploaded to the chat, and the absolute path itself may reveal local directory information.
The skill intentionally sends local files through the Feishu adapter based on paths included in a message. This is disclosed and purpose-aligned, but it crosses a local-to-chat data boundary.
OpenClaw's Feishu outbound adapter automatically detects and uploads files when: ... Absolute file paths appear in the reply text ... Files exist at those paths
Before sending, ensure the listed paths point only to files the user intended to share, preferably freshly generated outputs in a known workspace directory.