Back to skill
Skillv1.1.0
ClawScan security
Bot Voice Config Clean · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 11:30 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and SKILL.md are consistent with a VolcEngine (火山引擎) TTS + Feishu integration, but the registry metadata omits required environment variables and runtime dependencies (jq, ffmpeg, curl), so there are coherence gaps you should verify before installing.
- Guidance
- This skill appears to do exactly what it claims (generate VolcEngine TTS and send test audio via Feishu), but the published metadata omitted required environment variables and runtime tools. Before installing or running it: 1) Verify and only provide minimal-permission API credentials (VOLC_API_KEY, FEISHU_APP_ID/SECRET) and consider creating scoped/rotated keys; 2) Ensure jq, curl and ffmpeg are installed and inspect the script (scripts/voice-config.sh) yourself for any modifications you don't expect; 3) Confirm you are comfortable with the skill writing/updating ~/.openclaw/workspace/config/bot-voice-config.json and keeping backups; 4) Because the skill will call external APIs, only use credentials for accounts you trust and consider testing in an isolated account first; 5) Ask the author or publisher to update the registry metadata to declare required env vars and runtime dependencies so the intent is transparent.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (configure and bind VolcEngine TTS voices, send test audio to Feishu) matches the script behavior: it calls a VolcEngine TTS endpoint and Feishu APIs. However the published registry metadata declares no required environment variables or binaries while the SKILL.md and scripts clearly require VOLC_API_KEY, VOLC_RESOURCE_ID, FEISHU_APP_ID, FEISHU_APP_SECRET (and optional FEISHU_DEFAULT_USER_ID). That metadata omission is an inconsistency that reduces transparency.
- Instruction Scope
- okSKILL.md and the included script restrict actions to listing/setting voices, generating TTS via VolcEngine, converting audio (ffmpeg), and uploading/sending audio to Feishu. The instructions reference user config files under ~/.openclaw and send data only to VolcEngine and open.feishu.cn endpoints — these are within the stated purpose. Minor oddity: the script looks for a local voice list at a path with a duplicated 'workspace/workspace' which is likely a bug but not malicious.
- Install Mechanism
- okNo install spec is present (instruction-only plus a shell script), so nothing will be downloaded at install time. This is lower risk. The runtime script does assume external CLI tools (curl, jq, ffmpeg) are present but these are not declared in registry metadata.
- Credentials
- concernRequested secrets (VolcEngine API Key and Feishu App ID/Secret) are appropriate for TTS generation and sending messages to Feishu, but the skill's registry declared no required env vars. The script will accept credentials via environment variables or read them from the user's config file and will use them to call external APIs — that is expected, but the missing declaration is a transparency problem. Also note the skill will persist configuration and create backups under the user's home directory (~/.openclaw), which is reasonable but you should verify the config does not accidentally include other secrets.
- Persistence & Privilege
- okalways:false and no modifications to other skills are present. The script writes/updates its own config file and makes .bak backups in the user's ~/.openclaw workspace — expected for a config tool and not excessive. The skill can be invoked autonomously by agents (disable-model-invocation:false) — this is platform default and not flagged alone.