ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Voice Message

v1.0.4

Send voice messages across chat channels (Telegram, Discord, Feishu/Lark, Signal, WhatsApp, and others) using edge-tts for text-to-speech and ffmpeg for audi...

1· 1.1k·6 current·7 all-time
by@xmanrui
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (send voice messages via edge-tts + ffmpeg to multiple chat platforms) matches the included scripts and SKILL.md: gen_voice.sh creates OGG/OPUS using edge-tts and ffmpeg, gen_waveform.py computes waveform/duration for Discord, and send_feishu_voice.sh uploads and sends audio via Feishu API. The required tools (edge-tts, ffmpeg/ffprobe, curl, python3) are appropriate and proportionate to the stated purpose.
Instruction Scope
Runtime instructions stay within purpose: they call local conversion tools and platform APIs. Two operational/privacy notes: (1) edge-tts will send text audio requests to an external TTS service (expected but relevant for privacy of message contents); (2) the Feishu tenant_access_token is passed as a CLI argument in send_feishu_voice.sh, which can expose it via process listings or shell history—SKILL.md does not warn about this. The scripts do not read unrelated files or environment variables.
Install Mechanism
This is instruction-only with bundled scripts and no install spec — no downloads or archives are performed by the skill itself. That lowers install-time risk; required third-party tools are standard (edge-tts, ffmpeg).
Credentials
The skill declares no required environment variables or credentials and instead expects tokens/IDs to be provided at runtime (e.g., tenant_access_token argument for Feishu). That is proportionate, but passing secrets on the command line is risky (process-list exposure and shell history). Users should avoid supplying long-lived secrets as plain CLI args and prefer ephemeral tokens or safer injection mechanisms (stdin/env with proper protection).
Persistence & Privilege
The skill does not request persistent/system-wide privileges, does not set always:true, and does not modify other skills or global agent settings. It runs as-needed and requires explicit invocation.
Assessment
This skill appears to do what it says, but consider these operational cautions before installing: (1) The scripts call external services — edge-tts will send the text you convert to a remote TTS service, and send_feishu_voice.sh calls Feishu APIs — so message contents and tokens travel over the network. (2) Avoid passing long-lived tokens as plain command-line arguments (they can be visible via ps and may be stored in shell history); prefer ephemeral tokens or supplying tokens via a protected environment variable or stdin if you adapt the scripts. (3) Ensure you trust the source (no homepage provided) before running bundled shell scripts; inspect and, if needed, run them in a restricted environment. (4) Confirm required tools (edge-tts, ffmpeg/ffprobe, curl, python3) are installed from official sources. If you want higher assurance, request the skill author to accept tokens via stdin/env and to document any data retention or telemetry from the TTS provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk972bt0kk76w8a4daev4egk92h81ysbb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎤 Clawdis

Comments