Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Feishu Send Voice
v0.1.0将文本转为语音并通过飞书 audio 消息发送给指定用户。用于“给用户发语音”“把这段话转语音并发飞书”“语音播报结果”等场景,尤其当普通文件发送会降级为文本时使用。仅在指定 channel=feishu 时触发。优先在需要高可达、可听播报时使用。
⭐ 2· 459·5 current·5 all-time
bytangzhan_aicoding@tangc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The script implements exactly what the name/description promise: uses edge-tts to generate MP3, ffmpeg to convert to opus-in-ogg, obtains a Feishu tenant token, uploads the file and sends an audio message to a specified open_id. The need for ffmpeg, edge-tts and Feishu credentials is coherent with that purpose.
Instruction Scope
SKILL.md and the shell script are consistent: they instruct running the provided script which only reads the OpenClaw config (or env vars), writes temporary files, calls local binaries (edge-tts/ffmpeg/ffprobe/python3) and makes requests to official Feishu endpoints. The script does not reference other system paths or send data to unexpected external endpoints.
Install Mechanism
There is no install spec; this is instruction-only plus a shell script that relies on existing local binaries. That is the lowest install risk and consistent with the declared runtime requirements.
Credentials
Registry metadata lists no required config paths or credentials, but the script and SKILL.md require Feishu credentials — either via environment variables (FEISHU_APP_ID/FEISHU_APP_SECRET) or by reading ~/.openclaw/openclaw.json. This mismatch (metadata says none, runtime requires credentials/config) is an incoherence that could surprise users. Otherwise, the amount and type of secrets requested are proportional to the task.
Persistence & Privilege
The skill does not request permanent/always-on inclusion, does not modify other skills or global agent settings, and does not persist credentials beyond the normal API calls. Autonomous invocation is allowed (platform default) but not combined with other high-risk behaviors.
What to consider before installing
This skill appears to be what it claims (text→TTS→send to Feishu). Before installing or running it: 1) verify the script source/trustworthiness (source is listed as unknown); 2) note that it reads your Feishu appId/appSecret either from environment variables or from ~/.openclaw/openclaw.json — the package metadata did not declare that config dependency, so confirm you’re comfortable granting it access to that file; 3) prefer supplying FEISHU_APP_ID/FEISHU_APP_SECRET via environment variables rather than leaving credentials in shared config; 4) inspect and run the script in a controlled environment (or with minimal-permission Feishu app) to confirm behavior; and 5) ensure edge-tts and ffmpeg are installed from trusted sources. If you cannot verify the skill source or do not want the skill to read ~/.openclaw/openclaw.json, do not install/run it.Like a lobster shell, security has layers — review code before you run it.
latestvk978hbfm4eahtx7mb2594k27zs829hv3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.