feishu-whisper-voice
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Voice messages in Feishu may be downloaded and transcribed using the bot or authorized user context.
The skill downloads Feishu audio resources using bot or user identity. This is expected for a Feishu voice skill, but it means the agent can access message audio through Feishu permissions.
优先使用机器人身份(无需授权)... feishu_im_bot_image(... type="audio") ... 用户身份(需要 OAuth 授权): feishu_im_user_fetch_resource(...)
Install only where the bot/user permissions are appropriate, and avoid using it on Feishu conversations containing sensitive audio unless that is intended.
The assistant may send transcribed or generated replies into the active Feishu channel when used for voice dialogue.
The skill examples post generated text or voice replies to the current Feishu channel. This matches the stated voice-interaction purpose, but posting to a channel is a user-visible external action.
await message.send( to=current_channel, message=reply ) ... await send_voice_message( to=current_channel, audio_url=audio_result["audio_url"] )
Use it in channels where automatic or assistant-generated replies are acceptable, and review generated content before relying on it in sensitive workspaces.
Running the installer may download and execute third-party packages or build tools on the local machine.
The included installer uses unpinned package installs and optional source checkout/build steps. These are relevant to the speech/TTS purpose, but they depend on external package provenance.
pip install faster-whisper torch --upgrade ... git clone https://github.com/ggerganov/whisper.cpp ... pip install azure-cognitiveservices-speech ... pip install elevenlabs
Review install.sh before running it, prefer a virtual environment, and pin or verify dependencies if using this in a sensitive environment.
Running the helper can modify the Python environment by installing a package.
One transcription helper installs faster-whisper at runtime if it is missing. This supports the stated transcription purpose but is still local package installation during script execution.
subprocess.check_call([sys.executable, "-m", "pip", "install", "faster-whisper"])
Use a dedicated virtual environment and install dependencies explicitly rather than allowing runtime installation in a shared Python environment.
Transcribed audio content may remain in /tmp/voice_result.txt after the script runs.
A helper writes the transcription result to a local temporary file. This is useful for follow-up use but can leave sensitive spoken content on disk.
with open("/tmp/voice_result.txt", "w", encoding="utf-8") as f:
f.write(result)Do not process sensitive audio unless local transcript storage is acceptable, and delete temporary transcript files when finished.