← 返回 Skills 市场
bingothreed

feishu-files

作者 Bingo · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
178
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install feishu-files
功能描述
A simple skill send files to feishu.
使用说明 (SKILL.md)

\r \r

Skill: 飞书发文件\r

\r

飞书发文件(重要!目前只测试了图片和视频)\r

OpenClaw的message工具目前不能直接在飞书发送本地视频或图像。\r 正确方法:用exec工具执行curl调飞书API,分三步:\r \r

Step 1: 获取tenant_access_token\r

APP_SECRET=$(python3 -c "import json; c=json.load(open('/root/.openclaw/openclaw.json')); print(c['channels']['feishu']['appSecret'])")\r APP_ID=$(python3 -c "import json; c=json.load(open('/root/.openclaw/openclaw.json')); print(c['channels']['feishu']['appId'])")\r TOKEN=$(curl -s -X POST 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal' \r -H 'Content-Type: application/json' \r -d '{"app_id":"'$APP_ID'","app_secret":"'$APP_SECRET'"}' \r | python3 -c "import json,sys; print(json.load(sys.stdin)['tenant_access_token'])")\r \r

Step 2: 上传图片获取image_key\r

IMAGE_KEY=$(curl -s -X POST 'https://open.feishu.cn/open-apis/im/v1/images' \r -H "Authorization: Bearer $TOKEN" \r -F "image_type=message" \r -F "image=@/path/to/image.png" \r | python3 -c "import json,sys; print(json.load(sys.stdin)['data']['image_key'])")\r \r

Step 3: 发送图片消息\r

curl -s -X POST 'https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id' \r -H "Authorization: Bearer $TOKEN" \r -H "Content-Type: application/json" \r -d '{"receive_id":"收信人open_id","msg_type":"image","content":"{"image_key":"'$IMAGE_KEY'"}"}'

安全使用建议
This skill will run shell commands (curl, python3) and reads your OpenClaw config file (/root/.openclaw/openclaw.json) to extract the Feishu appId/appSecret and mint a tenant token, then uploads a local file to Feishu. Before installing, consider: 1) The skill metadata doesn't declare that it needs your OpenClaw config or the python3/curl binaries — verify and be comfortable with that. 2) Inspect /root/.openclaw/openclaw.json to confirm it only contains credentials you intend to share; if you don't want the skill to read that file, do not install or modify the SKILL.md to accept credentials via explicit env vars. 3) Because the skill can upload arbitrary local files, avoid running it where sensitive files are present, and run it with least privilege. 4) Ask the publisher to: declare required config paths/binaries in the registry, provide an alternative that takes appId/appSecret as explicit parameters or env vars, and avoid hardcoded /root paths so the instructions work on non-root/Windows systems. If you can't confirm these changes, treat the skill cautiously or run it in an isolated environment.
功能分析
Type: OpenClaw Skill Name: feishu-files Version: 1.0.2 The skill instructions in SKILL.md direct the AI agent to read sensitive credentials (appSecret and appId) directly from the local OpenClaw configuration file (/root/.openclaw/openclaw.json) using shell commands. While this behavior is intended to facilitate Feishu API authentication for file uploads, the practice of hardcoding paths to global configuration files and using raw shell execution (curl/python one-liners) to handle secrets poses a significant security risk. There is no evidence of exfiltration to non-official domains, but the direct access to the platform's core configuration file is a high-risk pattern.
能力评估
Purpose & Capability
The skill's stated purpose (send files to Feishu) matches the runtime actions (obtain tenant token, upload image, send message). However the registry metadata declares no required env vars or config paths while the instructions explicitly read /root/.openclaw/openclaw.json for appId/appSecret and call python3/curl. Those reads and binaries are necessary for the implementation but are not declared in the skill metadata, which is an incoherence.
Instruction Scope
SKILL.md tells the agent to run shell/python3/curl commands and to read a local OpenClaw config file (/root/.openclaw/openclaw.json). That file contains secrets (appId/appSecret) needed to mint tokens. The instructions permit uploading arbitrary local files (image/video paths) to Feishu — appropriate for the feature but also a potential exfiltration vector if misused. The instructions are also hardcoded to a root path and assume presence of python3 and curl, making them platform-specific and undeclared.
Install Mechanism
There is no install spec (instruction-only), so nothing is written to disk by the skill itself. This is lower risk than arbitrary downloads, but the runtime instructions require external tools (python3, curl) which the registry did not list as required binaries.
Credentials
The skill declares no required credentials or config paths, yet the steps read appId/appSecret from an on-disk OpenClaw config file. Accessing secret credentials without declaring them is disproportionate and should be surfaced to users. While the secrets are used for Feishu API access (which is consistent with the purpose), the skill metadata should declare that it needs those credentials or accept them via explicit env vars.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and is user-invocable only. Autonomous invocation is allowed (platform default) but not combined with other high-risk privileges here.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install feishu-files
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /feishu-files 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Updated documentation to retrieve APP_ID dynamically from the config file, instead of requiring manual entry. - Improved instructions for generating tenant_access_token with both APP_ID and APP_SECRET.
v1.0.1
- Updated documentation: replaced skill.md with SKILL.md in enhanced format. - Added YAML frontmatter (name and description) to SKILL.md for improved metadata. - No functional changes to the skill code.
v1.0.0
First version to send video and photo to feishu robot
元数据
Slug feishu-files
版本 1.0.2
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 3
常见问题

feishu-files 是什么?

A simple skill send files to feishu. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 178 次。

如何安装 feishu-files?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install feishu-files」即可一键安装,无需额外配置。

feishu-files 是免费的吗?

是的,feishu-files 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

feishu-files 支持哪些平台?

feishu-files 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 feishu-files?

由 Bingo(@bingothreed)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论