Feishu File Sender
PassAudited by ClawScan on May 1, 2026.
Overview
The skill’s behavior is coherent and disclosed: it uploads a specified local file to Feishu using local OpenClaw Feishu credentials, so users should verify the file and recipient before use.
Use this skill if you are comfortable letting the agent send selected local files to Feishu using the configured Feishu app. Before sending sensitive content, confirm the file path and recipient, prefer the current chat ID, and ensure ~/.openclaw/openclaw.json is protected.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent invoking the skill can send local file contents into a Feishu chat or to a Feishu user.
The bundled CLI uploads a caller-provided local file path and sends it to a caller- or environment-provided Feishu recipient. This is the intended capability, but it is high-impact if the wrong file or recipient is used.
parser.add_argument("--file", required=True, help="Local file path") ... file_key = upload_file(token, file_path, args.file_type); result = send_file_message(token, receive_id, receive_id_type, file_key)Use it only for intended generated files, prefer the current chat ID, and add a confirmation step in workflows that may handle sensitive files.
The skill can act through the configured Feishu app or bot account when sending uploaded files.
The script reads Feishu application credentials from the local OpenClaw configuration to obtain a tenant access token. This is disclosed and purpose-aligned, but it grants delegated Feishu messaging authority.
OPENCLAW_CONFIG = Path.home() / ".openclaw" / "openclaw.json" ... app_id = account.get("appId"); app_secret = account.get("appSecret")Keep the OpenClaw config file protected, verify the agent-to-account binding is correct, and grant the Feishu app only the permissions needed for file upload and message sending.