Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Voice Tts
v1.1.1将文本通过 MOSS-TTS 转换为语音,并发送到飞书群/个人。支持语音消息格式(带波形条)。
⭐ 1· 506·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (convert text to speech via MOSS-TTS and send to Feishu) matches the scripts' behavior. However the registry metadata claims 'Required env vars: none' and 'Required binaries: none', while the code and SKILL.md clearly require MOSS_API_KEY, FEISHU_APP_ID, FEISHU_APP_SECRET and the ffmpeg binary. This mismatch is an incoherence between claimed requirements and actual needs.
Instruction Scope
The SKILL.md instructions are narrowly scoped and align with the code: call MOSS-TTS, transcode with ffmpeg, upload to Feishu, and optionally fetch message history. The scripts only access the Feishu and MOSS endpoints shown in the files. One minor red flag: SKILL.md's statement that 'Feishu configuration in OpenClaw was automatically completed' may be misleading — the scripts still require FEISHU_APP_ID/SECRET, and the metadata did not declare these.
Install Mechanism
There is no installer that downloads external code at runtime; the package is delivered as scripts in the skill bundle. No remote-install URLs or archive extraction steps were found. This is low install risk.
Credentials
The scripts legitimately require MOSS_API_KEY and FEISHU_APP_ID/FEISHU_APP_SECRET to operate; those environment variables are appropriate for the stated integration. The concern is that the skill metadata claims no required environment variables, which could lead users to inadvertently provide credentials without realizing. Required variables are named SECRET/KEY which is expected, but the metadata omission is a packaging inconsistency that affects user consent/awareness.
Persistence & Privilege
The skill does not request permanent platform presence (always: false). It does not modify other skills or system-wide settings. It runs as ad-hoc scripts and uses no elevated privileges beyond network calls to the noted APIs.
What to consider before installing
This skill's functionality appears to match its description (MOSS-TTS -> ffmpeg -> Feishu upload), but the published metadata omitted required environment variables and the requirement to install ffmpeg. Before installing or using it: 1) Do not supply secrets blindly — verify you want to give FEISHU_APP_ID/FEISHU_APP_SECRET and MOSS_API_KEY to this code and to the endpoints referenced (studio.mosi.cn and open.feishu.cn). 2) Confirm ffmpeg is installed in the environment. 3) Review the scripts (they are short and readable) to ensure they meet your policy — they call the listed external APIs and use subprocess/ffmpeg but do not contain obfuscated code or unknown endpoints. 4) Ensure the Feishu app permissions requested (message send, file upload, read) are acceptable and apply least privilege. 5) Ask the publisher to correct the skill metadata to declare required env vars and binaries; the current mismatch is misleading. If you cannot verify the MOSS endpoint or do not want to share these credentials, do not install/use the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9762sxxhmhvq9p9t82wn8xw7d82szpz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.