← Back to Skills Marketplace
autogame-17

Feishu Card

by autogame-17 · GitHub ↗ · v1.4.11
cross-platform ⚠ suspicious
3978
Downloads
3
Stars
61
Active Installs
2
Versions
Install in OpenClaw
/install feishu-card
Description
Send rich interactive Feishu cards with markdown, headers, buttons, images, and styled persona messages to users or groups.
Usage Guidance
Install only after hardening or running it in an isolated environment. Replace execSync command strings with spawn/execFile argument arrays or direct function calls, validate target/title/color/event fields, remove or clearly disclose smart path inference for --text, and reapply secret scanning before every outbound fallback. Use a least-privilege Feishu app token and avoid sending secrets, logs, code, or regulated data through this skill unless you intend that content to reach Feishu/Lark.
Capability Analysis
Type: OpenClaw Skill Name: feishu-card Version: 1.4.11 The skill is classified as suspicious due to critical shell injection vulnerabilities in `handle_event.js` and `send_safe.js`. In `handle_event.js`, the `eventPayload.event.event_key` (untrusted input) is directly embedded into an `execSync` command, allowing arbitrary command execution. Similarly, `send_safe.js`, despite its name, directly interpolates `options.title` (user input) into an `execSync` command, bypassing any intended sanitization for other arguments. Additionally, `send.js` contains a 'Smart Input' feature that could lead to local file disclosure if an attacker can control the `--text` argument to point to sensitive files. While the `send.js` file includes a `scanForSecrets` function, which is a positive security feature, it does not mitigate these RCE or file disclosure risks.
Capability Assessment
Purpose & Capability
Sending Feishu/Lark cards, text, images, buttons, and persona-styled messages is coherent with the stated purpose. However, send_safe.js and handle_event.js build shell command strings from user-controlled or event-controlled values and pass them to execSync, which is not necessary for the messaging capability and can allow host command execution.
Instruction Scope
The README describes send_safe.js as a safe wrapper for raw text, but the wrapper still interpolates target, color, and title into a shell command. The README documents --text-file for file sending, but send.js also silently treats some --text values as local file paths, which is broader than the option description suggests.
Install Mechanism
The package uses ordinary local JavaScript files and npm dependencies on commander and dotenv, with no postinstall/preinstall script, hidden downloader, or obfuscated installer found. The package metadata has version inconsistency and depends on a sibling feishu-common module, but that is packaging risk rather than evidence of malicious install behavior.
Credentials
The skill reasonably needs Feishu credentials and network access to Feishu APIs, but it loads ../../.env, reads user-specified text and image files, can infer a file path from --text, and sends content to Feishu. Those powers are expected only with clear user control and are weakened by the command-injection paths and fallback leak behavior.
Persistence & Privilege
The skill writes temporary message files under ../../temp and caches Feishu image keys under ../../memory/feishu_image_keys.json. This persistence is related to its purpose and no background worker or privilege escalation was found, but the cache location is outside the skill directory and is not clearly disclosed in the README.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install feishu-card
  3. After installation, invoke the skill by name or use /feishu-card
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.4.11
- No code or documentation changes detected in this version. - Functionality, usage, and documentation remain unchanged from the previous release.
v1.4.10
Re-publish after account restoration
Metadata
Slug feishu-card
Version 1.4.11
License
All-time Installs 61
Active Installs 61
Total Versions 2
Frequently Asked Questions

What is Feishu Card?

Send rich interactive Feishu cards with markdown, headers, buttons, images, and styled persona messages to users or groups. It is an AI Agent Skill for Claude Code / OpenClaw, with 3978 downloads so far.

How do I install Feishu Card?

Run "/install feishu-card" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Feishu Card free?

Yes, Feishu Card is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Feishu Card support?

Feishu Card is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Feishu Card?

It is built and maintained by autogame-17 (@autogame-17); the current version is v1.4.11.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments