ClawHub

Feishu Voice API Sender

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Feishu voice-message helper that uses expected credentials, audio tools, and Feishu API calls to send user-directed messages.

Install only if you intend to let this skill send Feishu voice messages using your Feishu app identity. Use a least-privilege Feishu app, prefer environment variables or a secret manager over hardcoding secrets, verify the recipient open_id before sending, and avoid sending secrets or regulated content through TTS or voice messages unless your organization approves those services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"--rate={rate}",
            "--write-media", output_path
        ]
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        if result.returncode != 0:
            print(f"TTS 生成失败: {result.stderr}")
            return False
Confidence
79% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation advertises capabilities that require access to environment variables, local files, network APIs, and shell-executed tools, but it does not declare permissions for those sensitive operations. This creates a transparency and consent problem: a user or platform may run the skill without realizing it can read credentials from the environment or ~/.openclaw/openclaw.json and transmit data over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The stated purpose focuses on sending Feishu voice messages, but the documented behavior also includes TTS generation, audio transcoding, and reading Feishu credentials from a local OpenClaw config file. That mismatch matters because it hides additional trust-sensitive behavior—especially credential discovery from local files—which expands the attack surface beyond what a user would expect from the description alone.

Context-Inappropriate Capability

Medium
Confidence
71% confidence
Finding
The script silently falls back to reading Feishu app credentials from a local OpenClaw config file, which broadens the trust boundary and may use higher-privilege secrets than the caller expects. In an agent-skill setting, undisclosed credential harvesting from local config is risky because users may trigger outbound actions without realizing existing account credentials will be consumed.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script silently reads application credentials from environment variables or a local OpenClaw config file without any explicit notice or consent prompt at runtime. In an agent-skill context, implicit access to local secrets increases the chance that users invoke the skill without realizing it will consume stored credentials, which can undermine informed consent and safe secret handling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill accesses locally stored Feishu credentials and sends user-provided text/audio-derived content to external services without an explicit warning or consent gate. In an agent environment, hidden outbound transmission and implicit credential use increase the chance of privacy surprises, unauthorized messaging, or misuse of an existing authenticated account.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal