ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

feishu-audio-messages

v1.0.0

通过飞书Open API发送语音消息,支持文本转语音和上传多格式音频文件,自动转换为opus格式发送。

0· 114·0 current·0 all-time
by@michael-c-matias
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The script's functionality (TTS -> convert -> upload -> send via Feishu Open API) matches the skill name and description. The Feishu APP ID/SECRET it uses are appropriate for this purpose. However, the registry metadata declares no required environment variables or primary credential even though the script requires FEISHU_APP_ID and FEISHU_APP_SECRET (or equivalent entries in ~/.openclaw/.env or ~/.openclaw/openclaw.json). This omission is an inconsistency in the manifest.
Instruction Scope
SKILL.md and send-voice.sh limit actions to generating/transforming audio, reading credentials (env or two ~/.openclaw paths), calling local tools (edge-tts, ffmpeg, curl, optional jq), and POSTing to open.feishu.cn endpoints. The script does not attempt to read unrelated system files, network endpoints beyond Feishu, or exfiltrate data to other hosts.
Install Mechanism
No install spec (instruction-only + an included script). Dependencies are local binaries and a pip package (edge-tts). There are no downloads or archive extraction steps in the skill itself. Risk level is low for install mechanism.
!
Credentials
The script legitimately needs FEISHU_APP_ID and FEISHU_APP_SECRET to call Feishu APIs and looks for them in environment variables or in ~/.openclaw/.env and ~/.openclaw/openclaw.json. The skill registry, however, declares no required env/primary credential. Requiring secrets but not declaring them in metadata is a meaningful discrepancy and could lead to surprise credential access (the script will read dotfiles in the user's home).
Persistence & Privilege
always:false (no forced persistent presence). The skill does not modify other skills, does not attempt to persist its own credentials beyond reading them, and only creates temporary files under /tmp for conversion — behavior is proportional to its purpose.
What to consider before installing
This script appears to do what it says (TTS -> convert -> upload -> send to Feishu), but the package metadata omitted the fact it requires Feishu credentials. Before installing or running: 1) Review the script (already included) and confirm you trust its Feishu API calls to open.feishu.cn. 2) Provide FEISHU_APP_ID and FEISHU_APP_SECRET via environment variables rather than dropping them into shared config files, or verify ~/.openclaw/.env and ~/.openclaw/openclaw.json contain only intended values. 3) Run edge-tts inside a virtualenv and ensure ffmpeg is from a trusted package manager. 4) Because the manifest didn't declare required secrets, be cautious about automated installs or agents that auto-provide credentials — prefer manual invocation. 5) If you need higher assurance, ask the publisher for a signed source or publish origin (homepage) and an explicit manifest that lists required env vars and permissions.

Like a lobster shell, security has layers — review code before you run it.

latestvk973hnx6mqj9j9acmcs4jf4th183ecs0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments