Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu BGM
v1.1.0飞书场景化背景音乐生成器。通过 MiniMax Music API 生成纯音乐 BGM,以音频消息发送到飞书群。 触发词:"来点BGM"、"开会背景音"、"加班音乐"、"头脑风暴BGM"、"会议音乐"、"工作BGM"、 "放点音乐"、"背景音乐"、"需要BGM"。当用户在飞书群中描述场景并希望获得背景音乐时激活。
⭐ 0· 49·0 current·0 all-time
byRong@kylinr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (generate BGM for Feishu groups via MiniMax) matches the instructions and the bundled Python script. However, registry metadata reports no required environment variables or primary credential while the SKILL.md and scripts clearly require MiniMax authentication (CLI login or MINIMAX_API_KEY). That mismatch is unexpected and should be corrected by the author.
Instruction Scope
Runtime instructions are narrowly scoped to: install/use the MiniMax CLI, or call the provided Python script to request audio from MiniMax, then send the resulting MP3 to the Feishu chat via a 'message' tool. The instructions do not request unrelated system files or other external services beyond MiniMax and Feishu messaging.
Install Mechanism
There is no automated install spec; the SKILL.md instructs the user to install a public npm package (mmx-cli) and optionally run the included Python script. The npm package referenced points to a GitHub repo in the doc link; no obscure download URLs or archive extraction are used in the skill itself.
Credentials
The Python script requires a MINIMAX_API_KEY environment variable and the SKILL.md documents CLI authentication (API key or OAuth). Yet the registry metadata lists no required env vars or primary credential. The API key request is proportional to the stated purpose, but the failure to declare it in metadata is a security/process concern. Confirm where and how the API key will be stored and used, and whether the key must have limited scope/quotas.
Persistence & Privilege
The skill does not request always:true and has no install-time behavior that modifies other skills or system-wide configs. It operates on-demand and writes only its generated audio to /tmp/openclaw or other provided paths.
What to consider before installing
This skill appears to do what it says (generate BGM via MiniMax and send it to Feishu), but the registry metadata incorrectly omits the required MiniMax credential. Before installing: (1) verify you are comfortable giving an API key to the MiniMax service (api.minimaxi.com) and ensure the key has limited scope/quotas; (2) confirm how the 'message' tool sends files (that it posts only to the Feishu group and not to other endpoints); (3) inspect the mmx-cli project and the included scripts/generate_bgm.py (already bundled) to ensure no additional network endpoints or unexpected behavior; (4) ask the skill author to update the registry metadata to declare MINIMAX_API_KEY (or equivalent) so permissions are explicit. If you cannot verify those points or do not trust the MiniMax service/author, do not install or provide your API key.Like a lobster shell, security has layers — review code before you run it.
feishuvk971qryt4bnxb10sd5fkbq8sfd84jhg7latestvk971qryt4bnxb10sd5fkbq8sfd84jhg7musicvk971qryt4bnxb10sd5fkbq8sfd84jhg7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.