ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Voice Bubble

v1.1.0

Send native voice bubble messages (语音气泡) in Feishu/Lark chats using Edge TTS. Converts text to opus audio via Microsoft Edge TTS (free, no API key needed), t...

0· 208·0 current·0 all-time
by@saokiritokun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description promise sending native Feishu voice-bubble messages, but the only included code (scripts/gen_voice.js) generates .opus files using node-edge-tts and prints JSON. There is no Feishu API client, no upload/send logic, and no credential requirements. The SKILL.md shows a JSON "Send to Feishu" example but does not implement or document how the file gets uploaded or authenticated. This is an incoherence between claimed capability and actual implementation.
Instruction Scope
The runtime instructions and the script stay within TTS generation: they call node-edge-tts, write .opus files, split text, and log results. They do not read unrelated system files, environment variables, or transmit data to unexpected external endpoints beyond what node-edge-tts uses. The SKILL.md does instruct 'npm install node-edge-tts' which is appropriate for the task.
Install Mechanism
There is no formal install spec (instruction-only). The SKILL.md requests installing the npm package node-edge-tts. That is a normal dependency, but installing npm packages pulls third-party code — users should vet the package and version. No downloads from arbitrary URLs or extract operations are present in the skill bundle itself.
Credentials
The skill declares no required environment variables or credentials, which aligns with the fact it does not call Feishu APIs. This is proportionate, but it also explains why the skill cannot perform the 'send' action on its own.
Persistence & Privilege
Flags show default behavior (always: false, user-invocable: true). The skill does not request persistent presence, system modifications, or access to other skills' configurations.
What to consider before installing
This skill will convert text to .opus files using Microsoft Edge TTS (node-edge-tts) but does not itself upload or send messages to Feishu. If you expect an end-to-end Feishu sender, you'll need a separate integration that uploads the .opus file to Feishu (and that integration will require Feishu API credentials). Before installing: 1) verify/trust the node-edge-tts npm package and its network behavior (it will call Microsoft TTS endpoints and send your text there), 2) confirm how your agent or environment will upload the generated .opus to Feishu (authorization/permissions), and 3) if you need automatic sending, request or add a Feishu upload/sending component that securely handles credentials rather than relying on this script alone.

Like a lobster shell, security has layers — review code before you run it.

latestvk97243rm97wm0yf604spc58cwd830b7f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments