Back to skill
Skillv1.0.7
VirusTotal security
volcengine-tts-feishu · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 30, 2026, 5:01 PM
- Hash
- 30e5adc94edb297ee005911bc65a7137009afc9bd014f00157b1459cb0926b50
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: volcengine-tts-feishu Version: 1.0.7 The skill performs Text-to-Speech synthesis and sends audio to Feishu, but exhibits several high-risk behaviors and vulnerabilities. Specifically, scripts/http_tts.py reads sensitive credentials from the global ~/.openclaw/openclaw.json file and uses subprocess.run to execute curl and ffmpeg, which are high-risk capabilities. The script is also vulnerable to path traversal as it writes to a user-provided --output path without sanitization. Furthermore, there is a discrepancy in requirements.txt, which lists 'websockets' (unused) while omitting the 'requests' library required by the script, and the use of both urllib and requests for API calls to Volcengine and Feishu is inconsistent.
- External report
- View on VirusTotal