Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Edge Tts
v1.0.0使用微软 Edge TTS(免费)生成语音,发送到飞书。无需 API key,音质优秀,支持多语言多音色。
⭐ 0· 355·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Edge TTS → Feishu) match what the scripts do: use edge-tts, ffmpeg, and curl to generate audio and upload/send via Feishu APIs. Required tools (edge-tts, ffmpeg, curl) are appropriate for this purpose.
Instruction Scope
SKILL.md and scripts scope is limited to generating audio (edge-tts), converting to opus (ffmpeg), uploading to Feishu via open.feishu.cn, and sending a message. The runtime instructions do not read unrelated system files or attempt to exfiltrate data to unexpected endpoints.
Install Mechanism
No install spec; this is instruction + script based. Dependencies are installed via standard channels (pip for edge-tts, OS package managers for ffmpeg) which is low risk compared to downloading arbitrary binaries.
Credentials
The scripts require FEISHU_APP_ID, FEISHU_APP_SECRET, and FEISHU_CHAT_ID to upload/send audio—this is proportionate to sending messages via Feishu. However, the registry summary at the top incorrectly listed 'Required env vars: none' while clawhub.yaml and SKILL.md do declare/expect these env vars. That metadata mismatch is a red flag (could be oversight, but it affects informed consent before installation).
Persistence & Privilege
Skill does not request persistent elevated privileges, does not set always:true, and does not modify other skills or global configs. It runs as a normal script and cleans up temporary files.
What to consider before installing
This skill appears to do what it claims (generate Edge TTS audio and send it to Feishu). Before installing or running:
- Note that you must provide FEISHU_APP_ID, FEISHU_APP_SECRET, and FEISHU_CHAT_ID as environment variables; the top-level registry metadata omitted these — don't trust that omission.
- Create or use a Feishu app/account with the minimum permissions necessary (least privilege) for uploading and sending messages; avoid using highly privileged tenant credentials.
- Inspect scripts yourself (or run them in an isolated environment) — the send_voice.sh script posts only to open.feishu.cn and uses local temp files, edge-tts, ffmpeg, curl, and python3 for JSON parsing. There are no hidden remote endpoints in the code.
- Test with the --no-send flag first to confirm audio generation locally before providing real Feishu credentials.
- Install edge-tts and ffmpeg from official package sources (pip and your OS package manager) to avoid malicious third-party binaries.
If you want higher assurance, ask the author for canonical source (repo/homepage) and a signed release; the manifest claims a GitHub URL but 'Source' and 'Homepage' are unknown — lack of an authoritative upstream repo reduces confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk97f8z2q1x8j17rpxv5jaadabs82etk4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.