ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Feishu Voice Bot

v1.0.0

Send native voice bubbles via Feishu using edge-tts + ffmpeg. Converts text to OGG/Opus audio and sends as a playable blue voice bubble. Use when: (1) User s...

0· 122·0 current·0 all-time
by@cxzcy

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cxzcy/feishu-voice-bot.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Feishu Voice Bot" (cxzcy/feishu-voice-bot) from ClawHub.
Skill page: https://clawhub.ai/cxzcy/feishu-voice-bot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install feishu-voice-bot

ClawHub CLI

Package manager switcher

npx clawhub@latest install feishu-voice-bot
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md align with the stated goal (text → edge-tts → ffmpeg → Feishu voice bubble). However the skill metadata declares no required binaries or env vars while the SKILL.md and script require node, ffmpeg, and the separate edge-tts skill script in ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. The missing dependency metadata is an inconsistency.
!
Instruction Scope
The runtime script execSync()s shell commands that incorporate user-provided text into a shell command string. Although double quotes are used, POSIX shells still perform command substitution inside double quotes (e.g., $(...), `...`, $VAR expansions), so an attacker-controlled text could trigger arbitrary shell commands when the agent or user supplies input. The SKILL.md also expects the agent to access another skill's script in the user's HOME workspace (reads process.env.HOME implicitly) and creates temp files in /tmp that are not cleaned up.
Install Mechanism
Instruction-only plus a small helper script; there is no install spec and nothing is written by the skill itself. This lowers install-time risk.
!
Credentials
The skill does not request credentials, which matches its purpose, but it implicitly relies on process.env.HOME and the presence of another skill file under the user's workspace. It also requires ffmpeg and node but does not declare them in metadata. No secrets are requested, which is appropriate, but relying on another skill's script path in the user's home directory is an implicit dependency that should be declared.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/persistent privileges. It does not modify other skills' config. Autonomous invocation remains allowed by platform default but is not combined here with unusual privileges.
What to consider before installing
This skill appears to implement the advertised Feishu voice-bubble flow, but exercise caution before installing or running it: - Command-injection risk: The helper script builds shell commands with user-supplied text via execSync(). Because the shell still performs command substitution inside double quotes, malicious input could run arbitrary commands. Don't run this skill on sensitive systems or accept untrusted input without fixing the code. - Dependency mismatch: The metadata doesn't list required binaries (node, ffmpeg) or the dependency on the edge-tts skill file in ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. Verify those are present and trustworthy before use. - Temp file hygiene: Audio files are written to /tmp and not cleaned up; if audio can contain sensitive content, consider deletion after sending. Recommended mitigations before use: 1) Patch the script to avoid shell interpolation of user text — use child_process.execFile / spawn with argument arrays or pass the text via stdin or a temp file rather than embedding it in a shell command string. 2) Sanitize or escape characters that could trigger shell expansion (e.g., $, `, $( ), backticks) if you cannot change the invocation method. 3) Update the skill metadata to declare required binaries and the dependency on the edge-tts skill so installers know preconditions. 4) Add explicit cleanup of temporary files and consider a safer temp directory. 5) Only run this skill when you trust the edge-tts script and the environment; do not allow autonomous agent runs on systems with sensitive data until the injection issue is addressed. If you want, I can produce a safe replacement of the helper script that uses execFile/spawn or writes input to a temp file to eliminate shell injection risk.
scripts/voice-bubble.mjs:62
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dz0srg6taxfv55da5421nhh83sbsn
122downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@cxzcy
latest
Download

Feishu Voice Bubble

Send native voice bubbles (蓝色可播放气泡) via Feishu using bot identity.

Workflow

text → edge-tts (mp3) → ffmpeg (ogg/opus) → message tool (media=) → 原生气泡

Quick Usage

# One-liner via the helper script
node scripts/voice-bubble.mjs "你好陛下" --voice zh-CN-XiaoxiaoNeural

Or use the message tool directly after generating the audio:

# Step 1: Generate
cd ~/.openclaw/workspace/skills/edge-tts/scripts
node tts-converter.js "文本" --voice zh-CN-XiaoxiaoNeural --output /tmp/voice.mp3

# Step 2: Convert
ffmpeg -i /tmp/voice.mp3 -c:a libopus -b:a 32k /tmp/voice.ogg -y

# Step 3: Send via message tool
message(action=send, channel=feishu, target=<open_id_or_chat_id>, media=/tmp/voice.ogg)

Supported Voices

语言语音 ID特点
中文zh-CN-XiaoxiaoNeural女声,自然
中文zh-CN-YunxiNeural男声,自然
英文en-US-AriaNeural女声
英文en-US-GuyNeural男声

Full list: node ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js --list-voices

Notes

  • 无需用户 OAuth — 机器人身份 + message tool + media= 即可发送原生气泡
  • 格式 — 飞书要求 OGG/Opus 格式,edge-tts 输出 MP3,需 ffmpeg 转换
  • 临时文件 — 生成的音频存于 /tmp/,不会自动清理
  • 中文默认 — 未指定 voice 时使用 zh-CN-XiaoxiaoNeural

Comments

Loading comments...