Scan Report
5 /100
send-file
发送文件到消息平台(飞书、Telegram、Discord等)
Legitimate file-sending skill for Feishu with properly declared permissions and no malicious behavior.
Safe to install
Skill is safe for use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | Python reads files for upload only; shell script validates file existence |
| Network | READ | READ | ✓ Aligned | Makes POST requests to open.feishu.cn API endpoints |
| Environment | READ | READ | ✓ Aligned | Reads FEISHU_APP_ID and FEISHU_APP_SECRET from os.environ |
| Shell | NONE | NONE | — | No subprocess or shell execution observed |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
4 findings
Medium External URL 外部 URL
https://open.feishu.cn/app SKILL.md:33 Medium External URL 外部 URL
https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal SKILL.md:133 Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/files SKILL.md:141 Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id SKILL.md:150 File Tree
3 files · 13.4 KB · 476 lines Markdown 1f · 244L
Python 1f · 156L
Shell 1f · 76L
├─
▾
scripts
│ ├─
send_feishu_file.py
Python
│ └─
send_file.sh
Shell
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | Version not pinned but no security impact in this context |
Security Positives
✓ All credential access (FEISHU_APP_ID, FEISHU_APP_SECRET) is properly declared in SKILL.md
✓ Network requests are exclusively to legitimate Feishu API endpoints (open.feishu.cn)
✓ No credential exfiltration - tokens stay local for API authentication only
✓ File access is limited to reading files for upload, no sensitive path access
✓ No obfuscation, base64 encoding, or anti-analysis techniques
✓ No subprocess or shell execution in Python code
✓ Shell script is a simple file validation utility with no malicious intent
✓ Clean, readable code with proper error handling