Feishu Voice Message
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill matches its advertised voice-message purpose, but users should be aware it runs local Node/FFmpeg tooling and may route selected text/audio through Edge TTS and Feishu.
This appears safe for its stated purpose if you trust the local Node, Edge TTS helper, and FFmpeg installations. Before using it, install dependencies from trusted sources, avoid sensitive text unless approved, and confirm the Feishu chat before sending generated voice messages.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the referenced Edge TTS helper or package is missing, outdated, or untrusted, the skill may fail or run code the user has not reviewed.
The script runs a helper located under another skill path that is not included in this manifest, so that helper’s provenance and behavior are outside the reviewed artifacts.
"node", os.path.expanduser("~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js"),Install Edge TTS-related tooling only from trusted sources and inspect the referenced helper path before relying on the skill.
The local binaries execute with the user’s normal permissions, so compromised or unexpected binaries on the system could affect generated files or behavior.
The skill invokes local Node and FFmpeg commands. This is central to the advertised TTS and OPUS conversion workflow, and the code uses argument lists rather than shell strings.
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
Use trusted Node/FFmpeg installations and run the skill only for intended text and output paths.
Generated audio could be posted to a Feishu chat if the agent follows the workflow, so mistakes in content or destination may be visible to others.
The instructions show sending the generated OPUS file as a Feishu message. This is purpose-aligned, but it is a chat-posting/upload action.
message({ action: "send", path: "audio.opus", mimeType: "audio/opus" })Review the generated message and confirm the target chat before sending.
Text converted to speech and audio sent to Feishu may be processed or stored by external services.
The documented workflow involves Edge TTS and Feishu as service boundaries for the selected text/audio. This is expected for the skill, but privacy and retention details are not described.
Text → Edge TTS → MP3 → FFmpeg → OPUS → Feishu Voice Message
Avoid converting or sending secrets, confidential business information, or sensitive personal data unless those services are approved for that use.