← 返回 Skills 市场
send image in feishu
作者
jamesqin-cn
· GitHub ↗
· v1.0.0
· MIT-0
87
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install send-feishu-image
功能描述
Send images inline in Feishu chat by uploading via API to get image_key, then sending image message using receive_id_type in URL query.
安全使用建议
This skill will create and execute a temporary Node.js script and read your local openclaw.json to get app credentials, yet it declares no required binaries or credentials and even includes a hardcoded appSecret in the instructions. Before installing or using it: (1) Do NOT trust or reuse the hardcoded appSecret — treat it as a leaked secret and rotate it immediately if it is real. (2) Require the author to explicitly declare that node is required and to move credentials to secure env vars or a secrets manager rather than reading global config files. (3) Prefer a version that asks for appId/appSecret at runtime or uses an official SDK instead of writing/executing ad-hoc scripts. (4) If you must run it, run in an isolated environment, audit the generated script before execution, and restrict the Feishu app’s permissions. (5) Ask the publisher why openclaw.json must be read and request they remove the embedded secret from SKILL.md.
功能分析
Type: OpenClaw Skill
Name: send-feishu-image
Version: 1.0.0
The skill bundle contains a hardcoded sensitive credential (`appSecret`: `Q3c78ab1ORB7xOj0JtRz2d1GwQtzZcZH`) within the `SKILL.md` file, which constitutes a significant security risk and credential leak. Furthermore, the instructions direct the AI agent to bypass standard tool constraints by generating and executing arbitrary Node.js scripts from the `/tmp` directory. While these patterns are highly risky and represent poor security practice, they appear functionally aligned with the stated goal of resolving Feishu image rendering issues rather than demonstrating clear intent for data exfiltration or system compromise.
能力标签
能力评估
Purpose & Capability
The stated purpose (send images via Feishu API) matches the instructions (upload image → get image_key → send). However the skill does not declare that it needs a Node runtime or any credentials, yet the instructions require reading openclaw.json for appId/appSecret and executing node. The need to access local configuration files (openclaw.json) and the presence of a hardcoded appSecret in the SKILL.md are not proportionate to the declared requirements.
Instruction Scope
Runtime instructions direct the agent to (a) read openclaw.json for credentials, (b) generate a temp file under /tmp, (c) run that file with node, and (d) read an absolute IMAGE_PATH. Reading a global config file and executing generated code are higher-privilege actions that go beyond a simple message-send helper and are not explicitly constrained or justified in the skill metadata.
Install Mechanism
This is instruction-only (no install spec), which avoids writing code to disk during install. However the runtime relies on an implicit binary (node) that is not declared in required binaries. Generating and executing temporary JS on disk is a runtime install-like action and should have been declared.
Credentials
requires.env lists nothing, but the SKILL.md instructs reading openclaw.json to extract appId/appSecret (sensitive). The doc even includes a concrete appSecret value for the 'cto' account. Asking for/using a tenant app secret and reading a global channels config is high-sensitivity and is not represented in the skill's declared requirements — this mismatch is disproportionate and exposes secrets.
Persistence & Privilege
The skill is not always:true and does not request persistent system presence. It instructs creating and removing a temporary file and does not claim to modify other skills or system-wide config. Autonomous invocation is allowed by default but is not combined here with other elevated privilege requests.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install send-feishu-image - 安装完成后,直接呼叫该 Skill 的名称或使用
/send-feishu-image触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of feishu-image-send skill.
- Enables sending images that render inline in Feishu chat via direct Feishu Open API calls.
- Bypasses common rendering issues with the standard message tool's image/file attachment.
- Provides a step-by-step Node.js script workflow for reliable image delivery.
- Includes troubleshooting guidance and integration examples for automation.
元数据
常见问题
send image in feishu 是什么?
Send images inline in Feishu chat by uploading via API to get image_key, then sending image message using receive_id_type in URL query. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 87 次。
如何安装 send image in feishu?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install send-feishu-image」即可一键安装,无需额外配置。
send image in feishu 是免费的吗?
是的,send image in feishu 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
send image in feishu 支持哪些平台?
send image in feishu 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 send image in feishu?
由 jamesqin-cn(@jamesqin-cn)开发并维护,当前版本 v1.0.0。
推荐 Skills