Feishu Media Delivery
v0.1.1Reliably deliver generated images and videos to Feishu/Lark users and chats. Use when an agent already has a local image/video result and must send it to Fei...
⭐ 0· 105·0 current·0 all-time
byharry zhu@zhy2015
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description describe exactly what the scripts do: upload images/media and send Feishu messages. The included code uses the official @larksuiteoapi/node-sdk and reads local media files to upload — this is proportional to the purpose. However, registry metadata lists no required env vars while SKILL.md and the scripts require FEISHU_APP_ID and a FEISHU_APP_SECRET_PATH (or default secret file). That metadata omission is an incoherence in packaging.
Instruction Scope
SKILL.md instructs the agent to run the included node scripts with a target receive_id and local file path. The scripts read a local secret file and the specified media file, call Feishu APIs via the SDK, and print Feishu responses. They do not reference unrelated system paths, contact external endpoints beyond Feishu (via the SDK), nor attempt to collect or transmit other local data. They require explicit file path arguments, so accidental broad data access is limited to what the caller passes.
Install Mechanism
There is no install spec although a package.json and package-lock.json are included. Dependencies are normal (npm registry, @larksuiteoapi/node-sdk). This is not dangerous, but users must run npm install (and have Node) to run the scripts; the package metadata should ideally declare this. No downloads from unknown/personal URLs are present.
Credentials
The scripts legitimately need FEISHU_APP_ID and the app secret (via FEISHU_APP_SECRET_PATH or a default file). That scope is proportional to sending messages on behalf of a Feishu app. The incoherence: the skill registry metadata lists no required environment variables or primary credential, which understates the secret access the scripts need. The secret is read from a filesystem path, so the secret file's location and permissions matter.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and does not persist new credentials or enable itself. It only reads a secret file and local media files at runtime.
Assessment
This skill appears to do exactly what it claims (upload local images/videos and send Feishu messages) and uses the official Feishu Node SDK. Before installing or running it, verify: 1) You have a trusted FEISHU_APP_ID and a securely stored app secret file (the script defaults to ~/.openclaw/secrets/feishu_app_secret or FEISHU_APP_SECRET_PATH). Ensure the secret file permissions are tight. 2) The registry metadata omission: the skill should declare required env vars — treat that as a packaging bug and confirm the required variables before enabling automated invocation. 3) Run npm install in the scripts folder in a controlled environment and perform an npm audit on dependencies. 4) Because the scripts will read any file path you pass, ensure the agent or caller cannot be tricked into sending sensitive local files to Feishu. If you need stronger assurance, ask the publisher for a homepage/source repo or a signed release; absence of a homepage reduces provenance confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk972afsyy65rt21naka0zwrxr5838q3m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.