Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [Bug]: Feishu MEDIA/image upload fails when appSecret uses SecretRef (Keychain)

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

After migrating Feishu bot credentials (appSecret) from plaintext to SecretRef (macOS Keychain via exec provider), the MEDIA directive can no longer send local images to Feishu chats. The image upload silently fails because the Feishu SDK in the MEDIA code path does not resolve SecretRef objects — it reads the raw appSecret field value, which is now { source: "exec", provider: "...", id: "value" } instead of the actual secret string.

Root Cause

The Feishu SDK's image upload path (used by MEDIA directive to call POST /open-apis/im/v1/images) does not go through the SecretRef resolution layer when reading appSecret. It reads the raw field value from the config object.

When appSecret was a plain string, this worked fine. After migration to SecretRef, the value is an object { source: "exec", ... }, which the SDK passes as-is to the authentication call. This results in a failed token acquisition, and the image upload silently fails.

Other Feishu features (WebSocket messaging, document read/write) work correctly because they use a different credential resolution path that properly handles SecretRef.

Fix Action

Fix / Workaround

  • Any agent using SecretRef-stored credentials cannot send local images via MEDIA directive
  • This affects all agents that have migrated to Keychain-based secret storage
  • The send_feishu_file.sh workaround (which hardcodes the secret) is not a viable cross-agent solution

Code Example

{
  "channels": {
    "feishu": {
      "accounts": {
        "main-bot": {
          "appId": "cli_xxx",
          "appSecret": {
            "source": "exec",
            "provider": "keychain_feishu_main-bot",
            "id": "value"
          }
        }
      }
    }
  }
}

---

MEDIA:/path/to/image.jpg

---
RAW_BUFFERClick to expand / collapse

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

After migrating Feishu bot credentials (appSecret) from plaintext to SecretRef (macOS Keychain via exec provider), the MEDIA directive can no longer send local images to Feishu chats. The image upload silently fails because the Feishu SDK in the MEDIA code path does not resolve SecretRef objects — it reads the raw appSecret field value, which is now { source: "exec", provider: "...", id: "value" } instead of the actual secret string.

Steps to reproduce

  1. Configure Feishu channel with appSecret as a SecretRef:
{
  "channels": {
    "feishu": {
      "accounts": {
        "main-bot": {
          "appId": "cli_xxx",
          "appSecret": {
            "source": "exec",
            "provider": "keychain_feishu_main-bot",
            "id": "value"
          }
        }
      }
    }
  }
}
  1. Restart gateway and verify normal chat works (WebSocket connection succeeds)
  2. Try sending a local image via MEDIA directive in a Feishu DM:
MEDIA:/path/to/image.jpg
  1. Recipient does not receive the image

Expected behavior

The Feishu SDK should resolve SecretRef objects before using appSecret, or the MEDIA upload code path should use the same credential resolution mechanism as the main WebSocket connection.

Actual behavior

Root Cause

The Feishu SDK's image upload path (used by MEDIA directive to call POST /open-apis/im/v1/images) does not go through the SecretRef resolution layer when reading appSecret. It reads the raw field value from the config object.

When appSecret was a plain string, this worked fine. After migration to SecretRef, the value is an object { source: "exec", ... }, which the SDK passes as-is to the authentication call. This results in a failed token acquisition, and the image upload silently fails.

Other Feishu features (WebSocket messaging, document read/write) work correctly because they use a different credential resolution path that properly handles SecretRef.

Confirmed by Testing

TestappSecret formatMEDIA image send
1SecretRef (Keychain)❌ Failed
2Plaintext (temporary revert)✅ Success
3SecretRef (restored)❌ Failed

Impact

  • Any agent using SecretRef-stored credentials cannot send local images via MEDIA directive
  • This affects all agents that have migrated to Keychain-based secret storage
  • The send_feishu_file.sh workaround (which hardcodes the secret) is not a viable cross-agent solution

OpenClaw version

2026.5.28

Operating system

macOS Tahoe 26.5 (arm64)

Install method

No response

Model

Deepseek V4 Flash

Provider / routing chain

Deepseek

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

The Feishu SDK should resolve SecretRef objects before using appSecret, or the MEDIA upload code path should use the same credential resolution mechanism as the main WebSocket connection.

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING