Send File
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill does what it says—send user-requested files through Feishu—but it needs messaging credentials and can upload local files externally, so users should verify the file and recipient.
Install only if you intend to let the agent send files through Feishu. Use a dedicated Feishu app secret, store it securely, and confirm the file path and recipient whenever the request is ambiguous.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong file path or wrong inferred recipient could send private content to the wrong Feishu chat.
The skill sends local files to a messaging provider and may infer the Feishu recipient from the current conversation. This matches the purpose, but file and recipient mistakes could expose private data.
当前在飞书对话中,自动推断 open_id ... python ~/.openclaw/skills/send-file/scripts/send_feishu_file.py <file_path> <open_id>
Before use, confirm the exact file path and destination chat or user, especially when the request is vague.
Anyone with access to these credentials could potentially use the Feishu app's messaging/resource permissions.
The skill requires Feishu application credentials with permission to upload resources and send messages. That authority is expected for the integration, but the registry metadata lists no required credentials or environment variables.
export FEISHU_APP_ID='cli_xxx' ... export FEISHU_APP_SECRET='xxx' ... 确保应用有 `im:message` 和 `im:resource` 权限
Use a dedicated Feishu app with only the required permissions, protect the app secret, and rotate it if it may have been exposed.
If invoked with an unintended path, the script can upload any readable local file to Feishu.
The helper script opens the provided local path and uploads its contents to Feishu. This is exactly the skill's purpose, but it is a broad file-transfer capability.
with open(file_path, 'rb') as f: ... requests.post(url, headers=headers, files=files, data=data)
Keep usage user-directed and verify paths before running the script for sensitive files.
The skill may fail or require manual dependency setup on systems that do not already have Python and requests available.
The script depends on the Python requests package, while the provided install metadata declares no required binaries or install steps. This is a dependency declaration gap rather than evidence of malicious code.
import requests
Document the Python and requests requirements in the install metadata or setup instructions.