Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
feishu-audio
v1.0.1将音频文件转换为飞书可播放的语音消息。先用 ffmpeg 转为 opus 格式,再上传到飞书,最后发送 audio 消息。适用于用户想要在飞书中收到可播放的语音消息的场景。
⭐ 1· 574·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The script implements exactly what the name/description claim: convert audio to opus and upload/send to Feishu. However the package registry metadata lists no required environment variables or binaries, while the SKILL.md and script require FEISHU_APP_ID/FEISHU_APP_SECRET and ffmpeg/ffprobe/jq/curl — a mismatch between declared metadata and actual needs.
Instruction Scope
SKILL.md and the script stay within scope: they read a local audio file, convert it, obtain a Feishu tenant_access_token, upload the file to Feishu, and send a message. The script does not attempt to read unrelated system files or call unexpected third-party endpoints (only open.feishu.cn).
Install Mechanism
No install spec (instruction-only with a helper script) — low installation risk. SKILL.md recommends installing ffmpeg via brew but does not mention other required tools (jq, ffprobe, curl), which are used by the script and should be declared.
Credentials
The environment variables used (FEISHU_APP_ID and FEISHU_APP_SECRET, optional FEISHU_RECEIVER) are appropriate for interacting with Feishu. The concern is that the registry metadata does not declare any required env vars or primary credential, so the skill will in practice require and use sensitive app credentials despite metadata claiming none.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not modify other skills or system-wide settings, and only writes a temporary file to /tmp. Autonomous invocation is allowed by default but is not combined with other high-risk behaviors.
What to consider before installing
This skill appears to do what it says (convert a local audio file and send it to Feishu), but exercise caution because the registry metadata omits required credentials and binaries. Before installing or running: (1) inspect the included script (scripts/send_audio.sh) — it uploads files to https://open.feishu.cn and uses FEISHU_APP_ID/FEISHU_APP_SECRET; (2) do not supply production credentials until you trust the source; create a test Feishu app with minimal permissions (im:message, im:message:send_as_bot) and use those; (3) ensure required tools are installed (ffmpeg/ffprobe, jq, curl) — SKILL.md only mentions ffmpeg; (4) run in an isolated/test environment first and rotate any keys used for testing; (5) if you plan to use this long-term, ask the publisher to correct the registry metadata to declare required env vars and binaries. These inconsistencies look like sloppy packaging rather than overtly malicious behavior, but they increase risk and warrant verification.Like a lobster shell, security has layers — review code before you run it.
audiovk970yt9x2n0fvmax8sfsyjnrys81zj24feishuvk970yt9x2n0fvmax8sfsyjnrys81zj24latestvk97bn2pa24d9rz8csycd06cbz581z2dettsvk970yt9x2n0fvmax8sfsyjnrys81zj24
License
MIT-0
Free to use, modify, and redistribute. No attribution required.