← Back to Skills Marketplace

send image in feishu

Name: send image in feishu
Author: jamesqin-cn

by jamesqin-cn · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install send-feishu-image

Description

Send images inline in Feishu chat by uploading via API to get image_key, then sending image message using receive_id_type in URL query.

Usage Guidance

This skill will create and execute a temporary Node.js script and read your local openclaw.json to get app credentials, yet it declares no required binaries or credentials and even includes a hardcoded appSecret in the instructions. Before installing or using it: (1) Do NOT trust or reuse the hardcoded appSecret — treat it as a leaked secret and rotate it immediately if it is real. (2) Require the author to explicitly declare that node is required and to move credentials to secure env vars or a secrets manager rather than reading global config files. (3) Prefer a version that asks for appId/appSecret at runtime or uses an official SDK instead of writing/executing ad-hoc scripts. (4) If you must run it, run in an isolated environment, audit the generated script before execution, and restrict the Feishu app’s permissions. (5) Ask the publisher why openclaw.json must be read and request they remove the embedded secret from SKILL.md.

Capability Analysis

Type: OpenClaw Skill Name: send-feishu-image Version: 1.0.0 The skill bundle contains a hardcoded sensitive credential (`appSecret`: `Q3c78ab1ORB7xOj0JtRz2d1GwQtzZcZH`) within the `SKILL.md` file, which constitutes a significant security risk and credential leak. Furthermore, the instructions direct the AI agent to bypass standard tool constraints by generating and executing arbitrary Node.js scripts from the `/tmp` directory. While these patterns are highly risky and represent poor security practice, they appear functionally aligned with the stated goal of resolving Feishu image rendering issues rather than demonstrating clear intent for data exfiltration or system compromise.

Capability Tags

requires-oauth-token

Capability Assessment

⚠ Purpose & Capability

The stated purpose (send images via Feishu API) matches the instructions (upload image → get image_key → send). However the skill does not declare that it needs a Node runtime or any credentials, yet the instructions require reading openclaw.json for appId/appSecret and executing node. The need to access local configuration files (openclaw.json) and the presence of a hardcoded appSecret in the SKILL.md are not proportionate to the declared requirements.

⚠ Instruction Scope

Runtime instructions direct the agent to (a) read openclaw.json for credentials, (b) generate a temp file under /tmp, (c) run that file with node, and (d) read an absolute IMAGE_PATH. Reading a global config file and executing generated code are higher-privilege actions that go beyond a simple message-send helper and are not explicitly constrained or justified in the skill metadata.

ℹ Install Mechanism

This is instruction-only (no install spec), which avoids writing code to disk during install. However the runtime relies on an implicit binary (node) that is not declared in required binaries. Generating and executing temporary JS on disk is a runtime install-like action and should have been declared.

⚠ Credentials

requires.env lists nothing, but the SKILL.md instructs reading openclaw.json to extract appId/appSecret (sensitive). The doc even includes a concrete appSecret value for the 'cto' account. Asking for/using a tenant app secret and reading a global channels config is high-sensitivity and is not represented in the skill's declared requirements — this mismatch is disproportionate and exposes secrets.

✓ Persistence & Privilege

The skill is not always:true and does not request persistent system presence. It instructs creating and removing a temporary file and does not claim to modify other skills or system-wide config. Autonomous invocation is allowed by default but is not combined here with other elevated privilege requests.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install send-feishu-image
After installation, invoke the skill by name or use /send-feishu-image
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release of feishu-image-send skill. - Enables sending images that render inline in Feishu chat via direct Feishu Open API calls. - Bypasses common rendering issues with the standard message tool's image/file attachment. - Provides a step-by-step Node.js script workflow for reliable image delivery. - Includes troubleshooting guidance and integration examples for automation.

Metadata

Slug send-feishu-image

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is send image in feishu?

Send images inline in Feishu chat by uploading via API to get image_key, then sending image message using receive_id_type in URL query. It is an AI Agent Skill for Claude Code / OpenClaw, with 87 downloads so far.

How do I install send image in feishu?

Run "/install send-feishu-image" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is send image in feishu free?

Yes, send image in feishu is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does send image in feishu support?

send image in feishu is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created send image in feishu?

It is built and maintained by jamesqin-cn (@jamesqin-cn); the current version is v1.0.0.

More Skills