Feishu Voice
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: feishu-voice Version: 1.2.0 The feishu-voice skill is a legitimate utility for converting text to speech and sending it as a voice message via the Feishu (Lark) platform. It uses standard system utilities (ffmpeg, ffprobe, jq) and interacts exclusively with official Feishu API endpoints (open.feishu.cn) using provided environment credentials. The script logic in scripts/send_voice.sh is transparent, follows the documented workflow, and includes proper cleanup of temporary files in /tmp.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the credentials are broad, the skill can use them to consume TTS service capacity and send Feishu bot messages within the app's permissions.
The skill requires Feishu app credentials and a Coze API key to obtain a tenant token, generate TTS, and send messages. This is purpose-aligned, but these are sensitive service credentials.
export FEISHU_APP_ID="cli_xxx" ... export FEISHU_APP_SECRET="your_secret" ... export COZE_API_KEY="your_coze_key"
Use a dedicated Feishu bot/app with the minimum required permissions and a limited Coze key; rotate or remove the credentials when no longer needed.
A mistaken invocation could send the wrong spoken message or send it to the wrong Feishu recipient.
After invocation, the script uploads audio and posts an audio message to Feishu. This matches the skill purpose, but it is a direct account-impacting action without an extra confirmation step.
SEND_RESPONSE=$(curl -s -X POST "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id" ... "msg_type": "audio")
Only invoke the skill when the intended text and recipient are clear; consider wrapping it with a confirmation step for sensitive chats.
The text being converted and the Coze credential flow depend on the installed coze-tts helper behaving as expected.
The script executes a separate coze-tts skill script located from the workspace or common paths. The dependency is disclosed, but its code/provenance is outside this skill package.
elif [ -n "$OPENCLAW_WORKSPACE" ] && [ -f "$OPENCLAW_WORKSPACE/skills/coze-tts/scripts/text_to_speech.sh" ]; then ... bash "$TTS_SCRIPT" "$TEXT"
Install coze-tts only from a trusted source and verify the workspace path so the intended helper script is executed.