Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
飞书语音回复
v1.0.0Generate Feishu-native voice replies with a playable pause/resume bar by synthesizing text, converting it with ffmpeg to Ogg/Opus, and sending it as a voice...
⭐ 0· 79·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The description and script align on using Edge TTS + ffmpeg to produce Ogg/Opus for Feishu playback, which is coherent. However the registry metadata declares no required binaries or config paths, while the script explicitly requires the 'edge-tts' binary and 'ffmpeg' (and optionally 'ffprobe'), and the README instructs using a specific workspace directory (/root/.openclaw/workspace/temp/voice) that isn't declared — this mismatch between claimed requirements and actual needs is a coherence issue.
Instruction Scope
SKILL.md gives a focused workflow for building and sending Feishu voice messages, but it contains unresolved git merge conflict markers (<<<<<<< HEAD and >>>>>>>) and claims 'Emoji 自动过滤:脚本会自动过滤 emoji' while the included Python script contains no emoji-filtering logic. The README also mandates storing files in a specific workspace path; the script will accept an out-dir but the documentation's hard requirement is not enforced or declared. These discrepancies mean the runtime instructions and implementation are not fully consistent.
Install Mechanism
There is no install spec (instruction-only), which is lower risk. But the shipped script depends on external binaries (edge-tts, ffmpeg, optional ffprobe) that are not installed or declared by the skill; the environment must provide them. This is an operational gap rather than an active install risk, but the skill should declare these prerequisites.
Credentials
The skill requests no credentials or environment variables and the script does not access secrets or external endpoints; it only invokes local binaries and writes files to disk. That is proportional to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges or modify other skills. It writes output files to a workspace directory (as documented), which is normal for this task.
What to consider before installing
This skill appears to do what it says (synthesize speech with edge-tts and convert via ffmpeg), but there are several red flags you should address before installing or using it: 1) SKILL.md contains unresolved git merge conflict markers — ask the author to clean and re-publish; 2) SKILL.md claims the script auto-filters emoji, but the provided script contains no emoji filtering logic — request clarification or a corrected script if you need that behavior; 3) The script requires the 'edge-tts' and 'ffmpeg' binaries (and optionally 'ffprobe') but the skill metadata doesn't declare these prerequisites — ensure these tools are installed and trusted on the host; 4) The README instructs storing files under /root/.openclaw/workspace/temp/voice — confirm that writing to that workspace is acceptable in your environment and that no sensitive files could be exposed; 5) Because this is instruction-only with an included script, inspect and run the script in a safe, isolated test environment first. If the author fixes the merge conflict, documents dependencies explicitly, and either implements the claimed emoji filtering or removes that claim, the skill becomes much more coherent. If you need help vetting a corrected version, provide the updated files.Like a lobster shell, security has layers — review code before you run it.
latestvk9792f13eay82gy6r3pe9c265h839hq5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.