ClawHub

Feishu Voice Tts

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it also includes Feishu chat-history reading that broadens access beyond voice TTS sending.

Install only if you are comfortable granting Feishu credentials that can send messages and, if enabled, read chat history. Prefer limiting Feishu app scopes to the sending workflow unless you specifically need history lookup, and avoid sending sensitive text through the external TTS provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents use of environment variables, shell execution via ffmpeg, file output, and network access, but does not declare permissions or prominently disclose these capabilities. This creates a transparency and consent gap: users or platforms may invoke the skill without understanding that it can access secrets, write files, and communicate externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is TTS generation and sending voice messages, but the documentation also includes the ability to retrieve and filter Feishu message history. This is a material expansion from outbound messaging into inbound data access, which can expose private conversations and metadata beyond what users would reasonably expect from a TTS skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation presents a separate get_history.py capability even though the skill is described only as converting text to speech and sending voice messages. Hidden or under-declared read functionality increases the risk of covert data collection and makes user consent uninformed.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Fetching Feishu message history is not necessary for the documented TTS-and-send workflow, so the extra capability violates least privilege. Unnecessary read access expands the attack surface and could be abused to collect chat content, timestamps, and message types from groups or individuals.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file retrieves and prints Feishu chat history, which is unrelated to the stated skill purpose of converting text to speech and sending voice messages. That mismatch introduces an unjustified data-access capability that could expose sensitive conversation contents, metadata, and attachments to anyone running the skill or reviewing its output.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Implementing chat-history access in a TTS voice-sending skill expands the skill's privileges beyond its advertised function. In this context, the extra capability is more dangerous because users may grant credentials expecting message delivery only, while the code can also enumerate and disclose historical chat data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation rule includes broad phrases and a catch-all 'or similar requests,' which can cause the skill to trigger on ambiguous user prompts. Because the skill sends content externally to Feishu and may involve sensitive text, over-broad activation increases the chance of unintended data transmission or use of linked credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description does not clearly warn that user-provided text will be sent to an external TTS provider and then uploaded to Feishu, nor that the documented tooling can access message history. Missing disclosure undermines informed consent and can lead to privacy violations when users do not realize their content and chat data may leave the local environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script accesses and displays chat history without any warning, consent prompt, or clear notice that potentially sensitive conversation data will be retrieved and printed to the console. This increases the risk of accidental privacy violations, especially in shared terminals, logs, CI environments, or when used by operators who expect only TTS functionality.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script transmits arbitrary user-supplied text to a third-party TTS service, which can expose sensitive or private content if users assume processing is local. In the context of an agent skill, this is more dangerous because automation may pass chat content, secrets, or internal text to the external provider without an explicit disclosure step.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal