← Back to Skills Marketplace
bingothreed

feishu-files

by Bingo · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
178
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install feishu-files
Description
A simple skill send files to feishu.
README (SKILL.md)

\r \r

Skill: 飞书发文件\r

\r

飞书发文件(重要!目前只测试了图片和视频)\r

OpenClaw的message工具目前不能直接在飞书发送本地视频或图像。\r 正确方法:用exec工具执行curl调飞书API,分三步:\r \r

Step 1: 获取tenant_access_token\r

APP_SECRET=$(python3 -c "import json; c=json.load(open('/root/.openclaw/openclaw.json')); print(c['channels']['feishu']['appSecret'])")\r APP_ID=$(python3 -c "import json; c=json.load(open('/root/.openclaw/openclaw.json')); print(c['channels']['feishu']['appId'])")\r TOKEN=$(curl -s -X POST 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal' \r -H 'Content-Type: application/json' \r -d '{"app_id":"'$APP_ID'","app_secret":"'$APP_SECRET'"}' \r | python3 -c "import json,sys; print(json.load(sys.stdin)['tenant_access_token'])")\r \r

Step 2: 上传图片获取image_key\r

IMAGE_KEY=$(curl -s -X POST 'https://open.feishu.cn/open-apis/im/v1/images' \r -H "Authorization: Bearer $TOKEN" \r -F "image_type=message" \r -F "image=@/path/to/image.png" \r | python3 -c "import json,sys; print(json.load(sys.stdin)['data']['image_key'])")\r \r

Step 3: 发送图片消息\r

curl -s -X POST 'https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id' \r -H "Authorization: Bearer $TOKEN" \r -H "Content-Type: application/json" \r -d '{"receive_id":"收信人open_id","msg_type":"image","content":"{"image_key":"'$IMAGE_KEY'"}"}'

Usage Guidance
This skill will run shell commands (curl, python3) and reads your OpenClaw config file (/root/.openclaw/openclaw.json) to extract the Feishu appId/appSecret and mint a tenant token, then uploads a local file to Feishu. Before installing, consider: 1) The skill metadata doesn't declare that it needs your OpenClaw config or the python3/curl binaries — verify and be comfortable with that. 2) Inspect /root/.openclaw/openclaw.json to confirm it only contains credentials you intend to share; if you don't want the skill to read that file, do not install or modify the SKILL.md to accept credentials via explicit env vars. 3) Because the skill can upload arbitrary local files, avoid running it where sensitive files are present, and run it with least privilege. 4) Ask the publisher to: declare required config paths/binaries in the registry, provide an alternative that takes appId/appSecret as explicit parameters or env vars, and avoid hardcoded /root paths so the instructions work on non-root/Windows systems. If you can't confirm these changes, treat the skill cautiously or run it in an isolated environment.
Capability Analysis
Type: OpenClaw Skill Name: feishu-files Version: 1.0.2 The skill instructions in SKILL.md direct the AI agent to read sensitive credentials (appSecret and appId) directly from the local OpenClaw configuration file (/root/.openclaw/openclaw.json) using shell commands. While this behavior is intended to facilitate Feishu API authentication for file uploads, the practice of hardcoding paths to global configuration files and using raw shell execution (curl/python one-liners) to handle secrets poses a significant security risk. There is no evidence of exfiltration to non-official domains, but the direct access to the platform's core configuration file is a high-risk pattern.
Capability Assessment
Purpose & Capability
The skill's stated purpose (send files to Feishu) matches the runtime actions (obtain tenant token, upload image, send message). However the registry metadata declares no required env vars or config paths while the instructions explicitly read /root/.openclaw/openclaw.json for appId/appSecret and call python3/curl. Those reads and binaries are necessary for the implementation but are not declared in the skill metadata, which is an incoherence.
Instruction Scope
SKILL.md tells the agent to run shell/python3/curl commands and to read a local OpenClaw config file (/root/.openclaw/openclaw.json). That file contains secrets (appId/appSecret) needed to mint tokens. The instructions permit uploading arbitrary local files (image/video paths) to Feishu — appropriate for the feature but also a potential exfiltration vector if misused. The instructions are also hardcoded to a root path and assume presence of python3 and curl, making them platform-specific and undeclared.
Install Mechanism
There is no install spec (instruction-only), so nothing is written to disk by the skill itself. This is lower risk than arbitrary downloads, but the runtime instructions require external tools (python3, curl) which the registry did not list as required binaries.
Credentials
The skill declares no required credentials or config paths, yet the steps read appId/appSecret from an on-disk OpenClaw config file. Accessing secret credentials without declaring them is disproportionate and should be surfaced to users. While the secrets are used for Feishu API access (which is consistent with the purpose), the skill metadata should declare that it needs those credentials or accept them via explicit env vars.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and is user-invocable only. Autonomous invocation is allowed (platform default) but not combined with other high-risk privileges here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install feishu-files
  3. After installation, invoke the skill by name or use /feishu-files
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Updated documentation to retrieve APP_ID dynamically from the config file, instead of requiring manual entry. - Improved instructions for generating tenant_access_token with both APP_ID and APP_SECRET.
v1.0.1
- Updated documentation: replaced skill.md with SKILL.md in enhanced format. - Added YAML frontmatter (name and description) to SKILL.md for improved metadata. - No functional changes to the skill code.
v1.0.0
First version to send video and photo to feishu robot
Metadata
Slug feishu-files
Version 1.0.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is feishu-files?

A simple skill send files to feishu. It is an AI Agent Skill for Claude Code / OpenClaw, with 178 downloads so far.

How do I install feishu-files?

Run "/install feishu-files" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is feishu-files free?

Yes, feishu-files is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does feishu-files support?

feishu-files is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created feishu-files?

It is built and maintained by Bingo (@bingothreed); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments