中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
feishu-message-download
从飞书消息中下载文件(视频、图片、文档等)到本地
A straightforward Feishu message file downloader that performs exactly as documented with no hidden functionality, credential exfiltration, or suspicious behavior.
Skill Namefeishu-message-download
Duration31.2s
Enginepi
Safe to install
No action needed. The skill is safe to use.

Findings 1 items

Severity Finding Location
Low
requests version not strictly pinned Supply Chain
requirements.txt specifies 'requests>=2.28.0' without an upper bound. While not currently exploitable, a future compromised version of requests could be automatically installed.
requests>=2.28.0
→ Pin to a specific version or narrow range: requests>=2.28.0,<2.32.0
 requirements.txt:1
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned download.py:22 — requests.get/post to open.feishu.cn API endpoints
Filesystem WRITE WRITE ✓ Aligned download.py:284 — open(file_path, 'wb') for saving downloaded files
Environment READ READ ✓ Aligned download.py:48,59 — os.environ.get('FEISHU_APP_ID'/'FEISHU_APP_SECRET')
Shell NONE NONE No subprocess, os.system, or shell invocation found
Skill Invoke NONE NONE No cross-skill invocation found
7 findings
🔗
Medium External URL 外部 URL
https://open.feishu.cn/im/xxx
README.md:62
🔗
Medium External URL 外部 URL
https://open.feishu.cn/document/ukTMukTMukTM/uEjNwUjLxYDM14SM2ATN
README.md:231
🔗
Medium External URL 外部 URL
https://open.feishu.cn/document/ukTMukTMukTM/uYjNwUjL2YDM14iN2ATN
README.md:232
🔗
Medium External URL 外部 URL
https://clawhub.ai/skills/feishu-message-download
README.md:234
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages/
SKILL.md:176
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis
download.py:22
🔗
Medium External URL 外部 URL
https://open.feishu.cn/im/xxx?...
download.py:161

File Tree

5 files · 30.1 KB · 1027 lines
Markdown 2f · 530L Python 1f · 460L JSON 1f · 36L Text 1f · 1L
├─ 🐍 download.py Python 460L · 15.4 KB
├─ 📋 package.json JSON 36L · 783 B
├─ 📝 README.md Markdown 251L · 6.4 KB
├─ 📄 requirements.txt Text 1L · 17 B
└─ 📝 SKILL.md Markdown 279L · 7.5 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
requests >=2.28.0 pip No Version not strictly pinned — only lower bound specified

Security Positives

✓ No shell execution (subprocess, os.system, eval, or shell=True)
✓ No credential exfiltration — app_id/app_secret used only for Feishu API authentication
✓ No obfuscation — all code is human-readable with no base64, eval, or dynamic execution
✓ No hidden functionality — SKILL.md accurately describes all capabilities
✓ No sensitive path access — only accesses ~/.openclaw/config.json for legitimate config loading
✓ All network requests go to the declared Feishu API endpoint (open.feishu.cn)
✓ File writes are scoped to user-specified output_dir with no arbitrary path traversal