ClawHub
Back to skill

Security audit

Li Feishu Audio

Security checks across malware telemetry and agentic risk

Overview

This Feishu voice assistant mostly matches its purpose, but it handles credentials and user message content with enough unsafe logging, disclosure, and cleanup behavior that users should review it before installing.

Install only after reviewing the scripts and privacy posture. Use a minimally privileged Feishu app, restrict the bot to approved chats or users, avoid sensitive production conversations until raw message/transcript logging and config printing are fixed, keep .env writable only by trusted users, and validate TEMP_DIR before running or scheduling cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""

    try:
        result = subprocess.run(
            [str(PYTHON_BIN), "-c", tts_script],
            capture_output=True, text=True, timeout=30
        )
Confidence
93% confidence
Finding
result = subprocess.run( [str(PYTHON_BIN), "-c", tts_script], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"\n[测试] voice.py Handler")
    handler_input = '{"message": "你好"}'
    try:
        result = subprocess.run(
            [VENV_PYTHON, f"{SKILL_DIR}/src/handlers/voice.py"],
            input=handler_input,
            capture_output=True,
Confidence
86% confidence
Finding
result = subprocess.run( [VENV_PYTHON, f"{SKILL_DIR}/src/handlers/voice.py"], input=handler_input, capture_output=True, text=True, t

Tainted flow: 'VENV_PYTHON' from os.environ.get (line 15, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
print(f"\n[测试] voice.py Handler")
    handler_input = '{"message": "你好"}'
    try:
        result = subprocess.run(
            [VENV_PYTHON, f"{SKILL_DIR}/src/handlers/voice.py"],
            input=handler_input,
            capture_output=True,
Confidence
97% confidence
Finding
result = subprocess.run( [VENV_PYTHON, f"{SKILL_DIR}/src/handlers/voice.py"], input=handler_input, capture_output=True, text=True, t

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes shell execution, environment-variable use, virtualenv creation, dependency installation, and access to sensitive Feishu credentials, but it does not declare corresponding permissions. Undeclared env/shell capabilities are dangerous because they hide the real execution and secret-access surface from reviewers and policy enforcement, making it easier for a skill to run commands or read credentials without explicit approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior does not match the actual capabilities: it can read credentials from openclaw.json, create environments, install dependencies, download models, and perform maintenance actions beyond the stated purpose. This mismatch is dangerous because reviewers may approve the skill for limited voice processing while it actually expands its trust boundary into local config, package installation, and broader system modification, increasing the chance of secret exposure or unsafe execution.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document states that the skill does not collect voice content, chat records, or personal information, but elsewhere admits that voice/text data is sent to Feishu and Microsoft Edge TTS, and the skill description says it performs speech recognition. Even if data is only processed transiently and not retained locally, transmission to third parties is still handling user data, so the disclosure is materially misleading and can cause operators to underestimate privacy and compliance risk.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The quickstart states that Feishu voice messages will be automatically transcribed, processed by AI, synthesized, and sent back, but it provides no privacy, consent, retention, or third-party processing warning. In a messaging/voice context, this can lead to unintentional processing of sensitive audio content and noncompliant handling of personal or confidential data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README describes a workflow that sends user voice content to multiple external services for speech recognition, AI processing, TTS, and Feishu delivery, but it does not clearly warn users that message content may leave the local environment. In a voice-interaction skill, this omission matters because voice messages can contain sensitive personal or business information, and users/admins need explicit notice to make informed deployment decisions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script recursively deletes directories derived from a user-configurable base path without validating that the resolved path is safe or constrained to an expected location. If TEMP_DIR is changed in .env to an unintended or sensitive path, the cleanup can remove matching directories there with no confirmation, creating a real risk of destructive data loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This second cleanup branch performs another rm -rf pass based on disk usage, again using directories selected from a configurable path and deleting them automatically. The skill context makes this somewhat more dangerous because it is an unattended maintenance script for temporary audio artifacts, so operators may schedule it via cron and not notice misconfiguration until data has been removed.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The installer reads and echoes Feishu and TTS configuration from the user's OpenClaw config without prior consent or masking. While this is not direct exfiltration, it can expose app IDs, service settings, or other sensitive metadata in terminal logs, screen recordings, or shared shell sessions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code logs recognized speech content and also logs raw inbound message data, which may contain sensitive personal or business information from user audio. Because this occurs without any disclosure, consent mechanism, or minimization, it creates a privacy leak through stderr/application logs that may be retained or exposed to operators and other systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The TTS flow sends reply text to Edge TTS, which is an external service dependency, without any explicit disclosure or consent. If the reply text contains personal or sensitive information derived from user messages, this can expose user data to a third party and create compliance and confidentiality issues.

Credential Access

High
Category
Privilege Escalation
Content
# 加载用户配置的环境变量
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
if [ -f "${SCRIPT_DIR}/.env" ]; then
    source "${SCRIPT_DIR}/.env"
fi
Confidence
95% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# 加载用户配置的环境变量
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
if [ -f "${SCRIPT_DIR}/.env" ]; then
    source "${SCRIPT_DIR}/.env"
fi

# 使用虚拟环境(支持自定义目录)
Confidence
95% confidence
Finding
.env"

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal