ClawHub

Openclaw Feishu Optimizer

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: openclaw-feishu-optimizer Version: 1.0.0 The skill is classified as suspicious due to the broad `Bash` execution permissions granted in `SKILL.md` (`allowed-tools: Bash(openclaw-feishu-optimizer:*)`). While the Python scripts (`process-message.py`, `voice-recognize.py`) do not directly construct malicious shell commands from user input, the `voice-recognize.py` script uses the `pydub` library for audio conversion. `pydub` often relies on external tools like `ffmpeg` which are executed via shell commands internally. A potential vulnerability in `pydub`'s handling of file paths or metadata when constructing these commands, combined with the skill's broad `Bash` permission, could create a shell injection risk. There is no evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints or persistence mechanisms.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

Private or sensitive voice messages may be transmitted to Google for transcription when this feature is used.

Why it was flagged

The speech-recognition code sends recorded audio data to Google Speech Recognition. This is expected for the advertised transcription feature, but it means voice-message contents may be processed by an external provider.

Skill content
text = r.recognize_google(audio, language=language)
Recommendation

Avoid using the transcription command on highly sensitive audio unless you are comfortable with the external speech-recognition provider.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing dependencies may fetch whatever current package versions are available from the package index or mirror.

Why it was flagged

The skill asks the user to install unpinned Python packages. These dependencies are directly related to audio transcription, but unpinned package installation carries normal supply-chain and reproducibility risk.

Skill content
pip3 install SpeechRecognition pydub
Recommendation

Install dependencies from a trusted package source and consider pinning versions if you need reproducible or controlled deployments.