Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiniMax TTS for FeiShu
v1.0.2MiniMax 文字转语音,支持中文音色、自动情绪检测、语气词音效和停顿标记
⭐ 0· 82·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to call MiniMax TTS and send audio to Feishu and the code indeed calls api.minimaxi.com and open.feishu.cn and requires MINIMAX_API_KEY, FEISHU_APP_ID, and FEISHU_APP_SECRET. No unrelated credentials or binaries are requested. The files and environment variables align with the stated purpose.
Instruction Scope
Runtime instructions and SKILL.md match the code paths (tts, design, list, update, save/trigger). The skill reads/writes local cache and voice-map files (/tmp/last_miss_m_message.txt, voices-map.md) and calls Feishu message APIs to fetch and send messages — these are expected for this integration. Note: there are implementation bugs that may cause runtime failures (index.js spawns python3 on a shell script; voice_design.py calls send_audio_message without importing/defining it) which are correctness issues but not evidence of hidden/excessive data access.
Install Mechanism
No install spec is provided (instruction-only install), and included code is plain Python/JS/bash that will run in the environment. No remote download URLs, archive extraction, or surprising installer behavior detected.
Credentials
Requested environment variables (MINIMAX_API_KEY, FEISHU_APP_ID, FEISHU_APP_SECRET, optional FEISHU_USER_OPEN_ID, and optional TTS_VOICES_MAP_PATH) are proportional and necessary for TTS generation and Feishu integration. No unrelated secrets or extra third-party tokens are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It writes local files (voice map and /tmp caches) within expected scope. Autonomous invocation is allowed (platform default) but not combined with elevated privileges.
Assessment
This skill appears to do what it says: convert text using MiniMax and send audio to Feishu. Before installing, ensure you: 1) provide only scoped MiniMax and Feishu credentials and avoid committing them; 2) restrict FEISHU_USER_OPEN_ID to the intended recipient(s); 3) run the skill in a non-production/sandbox environment first — there are implementation bugs (index.js invokes python3 on a shell script, and voice_design.py references send_audio_message without importing it) that can cause errors; 4) verify network policy so only api.minimaxi.com and open.feishu.cn are contacted; and 5) if you need stronger assurance, request the maintainer fix the noted bugs and review the code that fetches message content (it will read messages via Feishu API when given valid app credentials).index.js:19
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
audiovk977v4c8309ns46f1ngr4c40d983kxytchinesevk977v4c8309ns46f1ngr4c40d983kxytfeishuvk977v4c8309ns46f1ngr4c40d983kxytlatestvk977v4c8309ns46f1ngr4c40d983kxytminimaxvk977v4c8309ns46f1ngr4c40d983kxytttsvk977v4c8309ns46f1ngr4c40d983kxytvoicevk977v4c8309ns46f1ngr4c40d983kxyt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.