feishu-assistant Security Report — Low Risk | ClawSafe

10 /100

feishu-assistant

飞书助手，用于发送图片到飞书平台

Legitimate Feishu image sending tool with minor documentation gaps but no malicious behavior detected.

Skill Namefeishu-assistant

Duration43.6s

Enginepi

✓

Safe to install

Add allowed-tools declaration to SKILL.md: filesystem:READ, network:READ. No blocking security issues.

Findings 2 items

Severity	Finding	Location
Low	Missing allowed-tools declaration Doc Mismatch SKILL.md does not declare allowed-tools permissions. The script infers filesystem:READ (for reading images and config) and network:READ (for Feishu API calls), which are necessary for the skill's stated purpose. `--- name: feishu-assistant ...` → Add allowed-tools section to SKILL.md header declaring filesystem:READ and network:READ	`SKILL.md:1`
Info	No dependency pinning Supply Chain The script uses the requests library but no requirements.txt exists. Version is not pinned. `import requests` → Consider adding requirements.txt with requests pinned to a specific version	`scripts/send_image.py:6`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	scripts/send_image.py:39 - reads image paths; scripts/send_image.py:38 - reads ~…
Network	`NONE`	`READ`	✓ Aligned	scripts/send_image.py:50-53,64-76,81-91,99-108 - API calls to open.feishu.cn
Shell	`NONE`	`NONE`	—	No shell execution found

5 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn/

SKILL.md:21

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

scripts/send_image.py:50

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/images

scripts/send_image.py:64

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/messages

scripts/send_image.py:81

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/messages/

scripts/send_image.py:99

File Tree

2 files · 7.9 KB · 247 lines

Python 1f · 178L Markdown 1f · 69L

├─ ▾ 📁 scripts

│ └─ 🐍 send_image.py Python 178L · 5.9 KB

└─ 📝 SKILL.md Markdown 69L · 2.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`unknown`	pip	No	No requirements.txt; version not pinned

Security Positives

✓ Clean, readable Python code with no obfuscation

✓ All network calls go to official Feishu API (open.feishu.cn)

✓ Credentials are used locally for authentication only - no exfiltration

✓ Config file path (~/.openclaw/openclaw.json) is standard and expected

✓ File operations are minimal and necessary for stated purpose

✓ No base64, eval, or other obfuscation patterns

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env reading)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives