飞书语音
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the Feishu app secret or token is misused, the bot may be able to send messages or access message media within its granted scope.
The workflow requires Feishu app credentials and permissions to send messages and access media resources. This is expected for the stated integration, but it grants real Feishu workspace authority.
`appSecret: '你的appSecret'` ... `im:message` - 消息收发 ... `im:resource` ... `im:resource:download`
Use the minimum Feishu permissions needed, protect app secrets and tokens, avoid pasting real secrets into shared logs or chat, and revoke credentials if exposed.
Voice messages may leave Feishu/OpenClaw and be processed or logged by ElevenLabs according to that provider's policies.
Feishu voice files are uploaded to ElevenLabs for transcription, and the example explicitly enables provider logging. This is aligned with the skill purpose, but it affects voice-data privacy.
`https://api.elevenlabs.io/v1/speech-to-text?enable_logging=true` ... `-F file=@/path/to/voice.ogg`
Disclose this to affected users, review ElevenLabs retention/logging settings, and use a no-logging option if available and appropriate.
Running the setup command may require elevated privileges and will install software on the host system.
The setup instructions include installing ffmpeg with the system package manager. This is expected for audio conversion, but it modifies the local environment.
`apt-get update && apt-get install -y ffmpeg`
Run package-install commands only after user approval, from trusted package repositories, and preferably in a contained environment.
Private audio files could remain on disk after transcription or synthesis if they are not deleted.
The skill stores temporary voice files in the OpenClaw workspace. That is reasonable for conversion, but the artifact does not describe cleanup or retention.
`临时语音文件: /root/.openclaw/workspace/`
Use per-task temporary filenames, delete voice files after processing, and avoid retaining private audio longer than necessary.