feishu-audio
PassAudited by ClawScan on May 1, 2026.
Overview
This skill’s code matches its stated purpose of converting an audio file and sending it as a Feishu voice message, but it uses Feishu bot credentials and uploads local audio to Feishu.
This appears coherent and purpose-aligned. Before installing or using it, make sure you trust the Feishu app credentials you provide, restrict the app permissions to only what is needed, confirm the recipient Open ID, and only send audio files you are comfortable uploading to Feishu.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone invoking the skill with valid Feishu credentials can send audio messages through that Feishu bot/app.
The script uses Feishu application credentials to obtain a tenant access token, which is expected for sending Feishu bot messages but is still delegated account authority.
APP_ID="${FEISHU_APP_ID}"
APP_SECRET="${FEISHU_APP_SECRET}"
... tenant_access_token/internalUse a least-privilege Feishu app, protect the app secret, and verify the recipient Open ID before running the script.
The selected audio file may contain private information and will be sent to Feishu before being delivered as a message.
The converted local audio file is uploaded to Feishu’s API, which is necessary for the skill but means local audio content is transmitted to an external service.
curl -s -X POST "https://open.feishu.cn/open-apis/im/v1/files" ... -F "file=@$OPUS_FILE"
Only use the skill with audio files you are comfortable uploading to Feishu, and confirm the intended recipient.
Running the skill executes local media-processing commands and writes a temporary opus file under /tmp.
The skill runs local command-line tools to process a user-supplied audio file path; this is central to the stated audio conversion purpose and arguments are quoted.
ffmpeg -i "$AUDIO_FILE" -c:a libopus -b:a 24k -ar 24000 -ac 1 -y "$OPUS_FILE"
Run it only on audio files you selected and ensure ffmpeg/jq/curl are trusted local installations.
Installation metadata may not warn users up front that credentials and local tools are needed.
The registry metadata under-declares operational requirements that are disclosed in SKILL.md and used by the script, including Feishu credentials and local command-line tools.
Required binaries (all must exist): none Required env vars: none Primary credential: none
Before installing, note the documented requirements: ffmpeg, Feishu app ID/secret, a receiver Open ID, and working curl/jq tooling.