ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

voice2feishu

v1.0.2

文字转语音并发送到飞书。支持两种模式:API 模式(智谱/OpenAI 等)和本地模式(ChatTTS)。

0· 70·0 current·0 all-time
by@enihsago
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (text→TTS→Feishu) align with the code and required env vars. The only required env vars declared (FEISHU_APP_ID, FEISHU_APP_SECRET) are needed to upload/send messages to Feishu. Optional TTS-related env vars (TTS_API_KEY, TTS_API_URL, CHATTTS_*) are relevant for the two supported modes.
Instruction Scope
SKILL.md and scripts confine actions to expected operations: call a TTS API or local ChatTTS, convert audio, then upload to Feishu. The chattts-server script writes /tmp/chattts_server.py and launches a local Flask service bound to 0.0.0.0, and temporary files/PID/logs are stored under /tmp; this is functional but means the service is network-exposed and unauthenticated by default and the model download instructions will fetch large model files from Hugging Face / ModelScope. No instructions read unrelated system config or request unrelated credentials.
Install Mechanism
This is instruction-only (no package downloads during install). The code relies on common system tools (ffmpeg, ffprobe, jq, curl) and optional Python packages. Model downloads (if using ChatTTS) are from Hugging Face / ModelScope as documented — no obscure or shortener URLs or arbitrary binary downloads in install spec.
Credentials
Requested environment variables are proportional: FEISHU_APP_ID/FEISHU_APP_SECRET are required to obtain Feishu tenant token and send messages. TTS_API_KEY/TTS_API_URL are optional and used only for API mode. No unrelated secrets or broad credential lists are requested.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It does create PID/log/temp files under /tmp and can run a background local server (ChatTTS) when asked; it does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do exactly what it says: generate TTS (via a 3rd‑party API or a local ChatTTS service) and upload audio to Feishu. Before installing, consider: 1) Only provide FEISHU_APP_ID and FEISHU_APP_SECRET if you trust the skill — these allow sending messages from the app. 2) API mode sends text to whatever TTS_API_URL you configure (e.g., OpenAI or Zhipu); sensitive text will be transmitted to that provider. 3) Local mode may auto-download ~2GB model files (Hugging Face/ModelScope) and runs an unauthenticated Flask server bound to 0.0.0.0 by default — if you run it, consider binding to localhost or using a firewall to restrict access. 4) The scripts write temporary files and logs to /tmp; inspect logs at /tmp/chattts-server.log if you run the service. 5) Ensure required binaries (ffmpeg, ffprobe, jq, curl) and optional Python dependencies are installed from trusted sources. If you want more assurance, review the scripts (they are present in the package) and test in a safe environment first.

Like a lobster shell, security has layers — review code before you run it.

audiovk9704w55ekt6artrp8gk7wjq7183h5mrfeishuvk9704w55ekt6artrp8gk7wjq7183h5mrlatestvk9704w55ekt6artrp8gk7wjq7183h5mrttsvk9704w55ekt6artrp8gk7wjq7183h5mrvoicevk9704w55ekt6artrp8gk7wjq7183h5mr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsffmpeg, ffprobe, jq, curl
EnvFEISHU_APP_ID, FEISHU_APP_SECRET

Comments