Web TTS Speaker
PassAudited by ClawScan on May 12, 2026.
Overview
The skill appears to do what it claims—turn supplied web pages or text into audio—but users should avoid sensitive content and confirm the Feishu destination and local dependencies.
Install only if you are comfortable sending the chosen text or webpage content to Edge TTS and Feishu. Confirm the Feishu destination, ensure FFmpeg is installed in a trusted location, and prefer pinned dependencies if you need reproducible or stricter security behavior.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or unusual webpage title/text could confuse a weak parser or agent if it treats the text field as instructions rather than plain data.
The output block is intended for Cron/Agent parsing and includes unsanitized user- or webpage-derived text. This is purpose-aligned, but downstream code should not treat that text as trusted instructions or control data.
print(f"\n--- 以下内容供 Cron 读取 ---")
print(f"[FEISHU_VOICE]")
print(f"file={os.path.abspath(output)}")
print(f"text={text[:50]}...")Escape or encode the text field in the marker, and ensure the Agent/Cron parser only uses the generated file path from trusted fields.
Generated audio may be sent using the Feishu identity and destination configured for the agent.
The skill relies on the agent's Feishu message-sending authority. This matches the stated purpose, but the artifact does not specify a recipient, workspace, or confirmation behavior.
Agent 读取后用 `message` 工具发送飞书语音条: message( action: "send", channel: "feishu", asVoice: true, filePath: "/path/to/voice.opus" )
Confirm the Feishu account, chat/channel, and approval behavior before automating sends.
A future dependency update could change behavior or introduce vulnerabilities.
Dependencies are installed from third-party packages using version ranges rather than pinned hashes or exact versions. This is common and purpose-aligned, but it leaves future package changes outside the artifact review.
edge-tts>=6.0.0 beautifulsoup4>=4.12.0 requests>=2.31.0
Prefer pinned dependency versions or a lockfile for reproducible installs.
The skill will only work where that FFmpeg executable exists, and users should know a local binary is being run.
The skill executes a local FFmpeg binary to transcode audio. This is expected for the stated audio conversion workflow, but the executable path is hard-coded and not declared in the registry requirements.
FFMPEG = r"D:\\Programs\\ffmpeg-8.0.1-essentials_build\\bin\\ffmpeg.exe" ... subprocess.run(cmd, capture_output=True, text=True, check=True)
Declare FFmpeg as a required binary and use a configurable or PATH-based executable location.
Private text or content from a private URL could be sent to an external TTS service and then potentially to Feishu as audio.
The selected text or extracted webpage content is sent to the Edge TTS provider to generate speech. This is central to the skill, but users should understand the external data flow.
communicate = edge_tts.Communicate(text, voice) await communicate.save(temp_wav)
Use only with content you are comfortable sending to the TTS provider and Feishu; document this data flow clearly for users.