ClawHub

飞书TTS Pro

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised text-to-speech Feishu voice-message workflow, with expected credential and network use that users should configure carefully.

Install only if you are comfortable giving the skill Feishu app credentials and allowing it to send generated voice messages. Use least-privileged Feishu app permissions, protect the app secret, configure the default recipient carefully, and avoid sending secrets, regulated data, or sensitive personal information through this workflow unless your organization permits it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares required environment variables and clearly depends on external services, but it does not declare permissions or explicitly communicate its network and secret-handling behavior. This can weaken policy enforcement and user awareness, especially because the skill uploads generated audio and uses app credentials to send messages to Feishu.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger description is broad enough that ordinary requests like 'reply by voice' or 'send a voice message' could invoke this skill without clear constraints on recipient, content sensitivity, or confirmation. In context, that matters because activation causes message delivery to an external messaging platform, which can lead to unintended disclosure or action.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explains TTS generation and Feishu upload, but it does not prominently warn that user-provided text is transmitted to external services, including Edge-TTS and Feishu. This omission increases the risk of users unknowingly sending sensitive or regulated content off-platform and to another recipient.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal