The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script scripts/upload_image.py retrieves sensitive Feishu credentials, specifically app_id and app_secret, from the local configuration file located at ~/.goclaw/config.json.
[EXTERNAL_DOWNLOADS]: The upload_from_url method in scripts/upload_image.py fetches data from arbitrary external URLs using the requests library. This provides an ingestion point for untrusted data into the skill's workflow.
Ingestion points: upload_from_url function in scripts/upload_image.py.
Boundary markers: None present to distinguish between trusted and untrusted URL content.
Capability inventory: The script can perform network GET requests to arbitrary URLs and POST requests to Feishu, as well as read local files.
Sanitization: A file size check (10MB limit) is implemented, but no content-level validation or sanitization is performed on the downloaded data.
[DATA_EXFILTRATION]: The skill possesses the capability to read any local file (via upload_from_file) and transmit its content to an external service (open.feishu.cn). This creates a risk of data exfiltration if the agent is directed to upload sensitive files such as credentials or private keys.

feishu-upload-image