ClawHub

feishu-voice-sender - 飞书语音消息发送

Security checks across malware telemetry and agentic risk

Overview

This skill clearly does what it says: turns text into audio with Edge TTS and sends it to Feishu, with privacy and dependency-installation cautions.

Install only if you are comfortable sending the text you provide to Microsoft Edge TTS and posting the generated audio into a Feishu chat using your existing OpenClaw permissions. Avoid secrets, regulated data, or sensitive business content, verify the target chat before sending, and prefer installing Python dependencies in a virtual environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation advertises commands that invoke Python, install system packages, and imply use of environment/configuration and file generation, yet it does not declare permissions for shell, file writing, or environment access. This creates a trust and review gap: users and platforms cannot accurately assess what the skill will do before execution, increasing the chance of unintended command execution or data handling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to send arbitrary text through Edge TTS and then post the generated voice message to Feishu, but it does not warn that the input text may be transmitted to external services and shared into a collaboration platform. This can lead to accidental disclosure of sensitive internal data, especially because users may assume a local-only conversion and not realize the text/audio leaves their system or is posted to organizational chat spaces.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description says text will be converted and sent to Feishu, but it omits an explicit warning that user-provided text is processed by Edge TTS and that the resulting audio is transmitted to Feishu. This is dangerous because users may supply sensitive operational or personal content without realizing it will be sent to third-party services, creating privacy and compliance risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal