Feishu Voice Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for generating and sending Feishu voice messages, but it needs real Feishu/NoizAI credentials and can post messages on the user's behalf.
Install this only if you intend to let your assistant generate speech through NoizAI and send real voice messages to a Feishu chat. Configure a least-privileged Feishu app, protect the app secret and API key, verify the chat ID before sending, avoid sensitive message content, and do not enable batch or cron sending unless you want recurring automated posts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with valid credentials, the assistant can post voice messages into the configured Feishu chat.
The script sends an audio message to a configured Feishu chat through the Feishu API, which is the skill's stated purpose but is still an external account mutation.
curl -s -X POST "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id" ... "msg_type":"audio"
Verify the target chat ID, use the skill only for intended messages, and consider requiring user confirmation before sending.
A configured Feishu app secret and bot permissions allow message sending in the Feishu workspace according to that app's scope.
The skill requires Feishu bot permissions and app credentials so it can upload audio and send messages as a bot.
添加以下权限: - `im:message` - 发送消息 - `im:message:send_as_bot` - 以机器人身份发送 - `im:resource` - 资源访问
Use a least-privileged Feishu app, restrict it to intended chats where possible, store secrets in environment variables or a vault, and rotate credentials if exposed.
Private or sensitive text provided to the skill may leave the local environment and be processed by NoizAI and Feishu.
The text supplied by the user, including text read from a file, is sent to the NoizAI TTS provider before the resulting audio is uploaded to Feishu.
curl -s -X POST "https://api.noiz.ai/tts" -H "Authorization: $NOIZ_API_KEY" ... -o "$TEMP_MP3"
Do not pass secrets or sensitive documents as voice text unless those providers are approved for that data.
If an unexpected or untrusted tts.sh exists on PATH, the skill may run that local helper during voice generation.
The script prefers an external local helper named tts.sh if present, but that helper is not included in the provided files.
if command -v tts.sh &> /dev/null; then
tts.sh speak -t "$TEXT" --backend noiz -o "$TEMP_MP3"Ensure any installed tts.sh is trusted, or remove/disable that helper path and use the direct NoizAI curl path.
If configured, scheduled voice messages can continue to be sent until the cron entry is removed.
The documentation shows a user-directed cron setup for recurring scheduled message sending.
crontab -e # 添加:0 8 * * * /path/to/send_voice.sh -t "主人早上好~"
Only add scheduled jobs intentionally, document them, and remove the cron entry when no longer needed.