ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu File Sender

v1.2.0

飞书文件发送助手 - 通过临时目录解决OpenClaw飞书发送文件路径白名单问题 | Feishu File Sender - Solve OpenClaw Feishu file path whitelist issue

0· 361·0 current·0 all-time
by@yingyangdao
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (workaround for OpenClaw path whitelist) aligns with the provided scripts: they detect available media dirs, copy files into a temporary uploads folder, list and remove temp files, and (optionally) write a skill-specific allowedPaths entry into ~/.openclaw/openclaw.json. No unrelated credentials or network endpoints are required.
!
Instruction Scope
SKILL.md instructs the user to run perm-config.js which will write to ~/.openclaw/openclaw.json to add an entry for this skill. That behavior is consistent with the purpose, but the script explicitly offers a '宽松' option that sets allowedPaths to '/**' (entire filesystem). Running the script modifies user configuration and can broaden the file-access whitelist for the OpenClaw plugin—this is sensitive and should be done only with explicit user consent. The scripts also create directories and write/delete files under chosen media dirs; these file-IO actions are expected for the feature.
Install Mechanism
No install spec or external downloads are present; this is an instruction-only skill with bundled Node scripts. No external URLs, archive extraction, or installation steps are required by the SKILL.md. package.json lists axios but the shipped scripts do not call network code; there is no automatic install of npm packages.
Credentials
The skill does not request credentials or configuration paths beyond writing a skill entry in ~/.openclaw/openclaw.json and using local filesystem paths. It optionally reads FEISHU_MEDIA_DIRS from the environment (not documented in SKILL.md as a required var) which is non-sensitive but should be noted. There are no secret tokens requested. The primary risk is privilege scope from allowedPaths, not credential exfiltration.
!
Persistence & Privilege
perm-config.js writes to the user's OpenClaw config (~/.openclaw/openclaw.json) to register allowedPaths for this skill. Writing to agent/config is an expected install-time action for this use case, but the ability to set allowedPaths to '/**' effectively grants the OpenClaw Feishu plugin (and therefore any code that relies on those allowlists) access to the whole filesystem. That elevated, persistent permission is significant and should be applied only after review. The skill does not set always:true and does not alter other skills' entries beyond adding its own.
What to consider before installing
This skill appears to do what it says (copy files to a temporary media dir and register that dir with OpenClaw), but it modifies your OpenClaw config and can be configured to allow access to the entire filesystem. Before running: (1) Backup ~/.openclaw/openclaw.json if it exists. (2) Inspect perm-config.js and decide which option to choose — avoid the '宽松' (/**) option unless you fully understand the risk. (3) Prefer the '中等' option and/or set FEISHU_MEDIA_DIRS to a single, narrowly-scoped directory you control. (4) Run the scripts as an unprivileged user and review copied temp files; run clean.js after sending. (5) If you are unsure, run the scripts in a sandbox/container or inspect the code line-by-line (the project is local Node scripts with no external downloads).

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📎 Clawdis
latestvk971hjkj6estwk76eynz6av0vn82fxq3
361downloads
0stars
3versions
Updated 7h ago
v1.2.0
MIT-0
@yingyangdao
latest
Download

飞书文件发送助手 | Feishu File Sender

解决 OpenClaw 飞书发送文件时的路径白名单问题! Solve OpenClaw Feishu file path whitelist issue!

📋 问题说明 | Problem

OpenClaw 发送飞书图片/文件时,飞书插件读取本地文件经过核心的路径白名单检查,导致只能发送白名单路径内的文件。

When sending Feishu images/files via OpenClaw, the Feishu plugin reads local files through OpenClaw's path whitelist check, which only allows files in whitelisted paths.

💡 解决方案 | Solution

  1. 配置技能读取权限 - 自动适配多系统
  2. 在临时目录下创建文件夹,发送前复制文件到临时目录
  3. 发送成功后删除临时文件

🚀 快速开始 | Quick Start

第一步:配置权限(必做)

cd skills/feishu-temp-file

# 显示权限选项
node scripts/perm-config.js

# 选择并应用配置 (1/2/3)
node scripts/perm-config.js 2

权限选项说明:

选项名称路径范围
1限制级/home/admin, /tmp, /home
2中等/home, /tmp, /opt, /var, /srv
3宽松/** (整个系统)

第二步:检查目录权限

# 检查临时目录权限状态
node scripts/check-perm.js

第三步:使用技能

# 复制文件到临时目录
node scripts/prepare.js /path/to/your/file.png

# 发送成功后清理
node scripts/clean.js

📜 所有脚本 | All Scripts

脚本功能
perm-config.js配置技能读取权限 (首次必做) ✅
check-perm.js检查临时目录权限状态
prepare.js复制文件到临时目录
list.js列出临时文件
clean.js清理临时文件
detect-system.js检测系统类型

📁 项目结构 | Project Structure

feishu-temp-file/
├── SKILL.md              
├── _meta.json            
├── package.json          
├── config.example.json   
└── scripts/
    ├── shared.js         
    ├── perm-config.js    # 配置权限 ✅ (新增)
    ├── check-perm.js     
    ├── prepare.js        
    ├── list.js           
    └── clean.js

⚠️ 注意事项 | Notes

  1. 首次使用必须先运行 perm-config.js - 配置技能读取权限
  2. 选择权限级别后会自动写入 ~/.openclaw/openclaw.json
  3. 发送成功后记得清理临时文件

🔗 相关链接 | Links

提示: 建议选择"中等"权限,既方便使用又相对安全! Tip: Recommend option 2 (Medium) for balance between convenience and security!

Comments

Loading comments...