ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Voice API Sender

v1.0.1

飞书语音消息发送:使用官方 API 上传 OPUS 音频并发送语音消息,解决 OpenClaw 内置发送缺少 duration 参数的问题。| Send voice messages via Feishu official API, fixing OpenClaw's missing duration param...

0· 17·0 current·0 all-time
by退役前写代码的@54meteor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, scripts, and SKILL.md all describe sending Opus audio to Feishu and adding the required duration field. Requested binaries (ffprobe/ffmpeg, edge-tts via uvx) and use of APP_ID/APP_SECRET are consistent with generating/converting audio and calling Feishu APIs. Minor mismatch: registry metadata listed no required env vars/binaries while SKILL.md and scripts do list them.
Instruction Scope
Runtime instructions and scripts only perform TTS (via uvx/edge-tts), audio conversion (ffmpeg/ffprobe), read credentials (env vars or ~/.openclaw/openclaw.json), and call Feishu API endpoints. These actions stay within the stated purpose. Note: the skill explicitly reads ~/.openclaw/openclaw.json as a credential fallback — this grants it access to any data in that file and may expose other OpenClaw-stored credentials if present.
Install Mechanism
No install spec; this is instruction + script only. The package does not download remote archives or run an installer. External binaries (uvx, ffmpeg/ffprobe) are invoked at runtime and must already be present; that is normal for this functionality.
Credentials
The scripts require Feishu application credentials (APP_ID and APP_SECRET) which are appropriate and necessary to obtain tenant_access_token and call Feishu APIs. The code also falls back to reading ~/.openclaw/openclaw.json for credentials — justified for running inside OpenClaw but increases the file-scope the skill can access. No other unrelated secret env vars or credentials are requested.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide config. It does not request persistent installation privileges; it only runs scripts on invocation.
Assessment
This skill appears to do exactly what it says: generate/convert audio, compute duration, and call Feishu APIs using an app ID/secret. Before installing, consider: - Provide APP_ID and APP_SECRET via environment variables (recommended) instead of editing scripts. The scripts will read ~/.openclaw/openclaw.json as a fallback, so verify that file's contents and be aware the skill will try to open it. - The scripts invoke external binaries (uvx/edge-tts and ffmpeg/ffprobe). Make sure you trust those tools and that they are installed from trusted sources. - The code performs network calls to open.feishu.cn (expected). If you need stronger isolation, run the scripts in a sandboxed environment or review/modify the code to restrict file reads. - Note the minor metadata mismatch: registry metadata lists no required env vars/binaries while SKILL.md and scripts do. This is probably a packaging/documentation oversight, not malicious, but verify runtime requirements before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97787bavg9cn7recxvgb828ah84bz6z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments