Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
minimax_ttsvoicereponse_feishu
v1.0.0Convert text to speech using MiniMax API and send voice bubble messages on Feishu upon user voice reply requests.
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose is to convert text to speech and send Feishu voice-bubble messages. The included script implements TTS (calling MiniMax API) and ffmpeg conversion to OGG, which fits the TTS part, but it does not implement any Feishu sending. The registry metadata also omits declaring the required MINIMAX_VOICE_API_KEY environment variable. Expectation mismatch between description (automatically send to Feishu) and actual code (only creates an OGG file).
Instruction Scope
SKILL.md instructs triggers and describes sending via Feishu; runtime script only performs TTS and prints an OGG path. There are no instructions or code that post the generated audio to Feishu — SKILL.md suggests an out-of-band integration (OpenClaw message tool) but that gap is not documented as required steps in metadata. The runtime instructions do not access any other system secrets beyond the API key, which is appropriate.
Install Mechanism
No install spec (instruction-only) and a small Python script — lowest install risk. Runtime requires Python requests and system ffmpeg, which are reasonable for audio conversion. No remote code downloads or archives are used.
Credentials
The script requires a single secret (MINIMAX_VOICE_API_KEY via env or config.txt), which is proportionate for a TTS integration. However, the registry metadata lists no required env vars or primary credential, which is an omission and reduces transparency. The script will write output to ~/.openclaw/workspace/voice_reply.ogg and may create that directory; storing API keys in a plaintext config.txt is suggested in docs — that is a potential secret-exposure risk unless the user stores the key in env vars or a secrets manager.
Persistence & Privilege
The skill is not always-enabled, does not request persistent/privileged presence, and does not modify other skills or system-wide configs. It simply writes generated audio to the user's workspace directory — expected behaviour.
What to consider before installing
This skill will call MiniMax's TTS API and convert the returned audio to OGG using ffmpeg — that part is implemented in scripts/voice_reply.py. However: (1) the script does NOT send the resulting audio to Feishu; SKILL.md claims Feishu messaging but the code only prints an OGG path. If you expect automatic posting to Feishu, confirm how OpenClaw or another integration will actually upload/send the file. (2) The registry metadata omitted declaring the required MINIMAX_VOICE_API_KEY — you should not install or run the script until metadata correctly lists this required credential. (3) Prefer setting the API key as an environment variable rather than storing it in config.txt (plaintext). (4) Ensure ffmpeg is installed and review the script before running; it writes to ~/.openclaw/workspace/voice_reply.ogg and may create that directory. Recommended actions before installing: verify or add Feishu-posting code/steps, update registry metadata to declare MINIMAX_VOICE_API_KEY, inspect the code yourself (or have a reviewer) to confirm there are no hidden endpoints, and store the API key securely (env var or secret store) rather than in config.txt.Like a lobster shell, security has layers — review code before you run it.
latestvk97aadssee02r4p1gv3mbqwd4983x7fk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.