Feishu Audio Message
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims—send TTS audio messages to Feishu—but it uses existing Feishu app credentials and local helper tools, so users should verify permissions and recipients.
Before installing, make sure you are comfortable letting this skill use your configured Feishu app credentials to upload audio and send messages. Verify chat IDs and message content, avoid sending sensitive audio unless appropriate for the Feishu workspace, and ensure the local TTS helper and command-line tools are trusted.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act through the configured Feishu app and post audio messages to chats the app is allowed to reach.
The script reads Feishu app credentials from environment variables or the local OpenClaw configuration to obtain a tenant access token. This is expected for sending Feishu messages, but it is sensitive account authority.
CONFIG_FILE="/root/.openclaw/openclaw.json" ... d['channels']['feishu']['accounts']['main']['appSecret']
Install only if you trust the skill with your Feishu bot/app permissions, and verify the target chat ID before sending.
A mistaken text, file, or chat ID could send an unintended audio message to a Feishu chat.
The script uses raw Feishu API calls to upload and send an audio message. This matches the stated purpose, but it is still a message-sending action in an external workspace.
curl -sf -X POST "https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id" ... "msg_type": "audio"
Use it for deliberate send requests, and double-check message content and recipient IDs.
The skill may fail or behave differently if the local TTS helper is missing or replaced by an untrusted binary.
The script depends on a pre-existing local TTS helper, plus curl and python3, while the registry lists no required binaries or install spec. This is not malicious by itself, but it is an undeclared dependency/provenance consideration.
TTS_BIN="/app/openclaw/node_modules/.bin/node-edge-tts" ... "$TTS_BIN" -t "$TEXT" -f "$TMP_FILE"
Confirm that the OpenClaw environment provides trusted versions of node-edge-tts, curl, and python3.