feishu-edge-tts-win
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do its stated job of converting text into a Feishu voice message, but it uses local Feishu app credentials and external TTS/upload services.
This skill looks consistent with its description. Before installing or running it, make sure you trust the reviewed script, have installed edge-tts/ffmpeg/curl from trusted sources, protect your Feishu app secret, and only send non-sensitive text to intended Feishu recipients.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone able to run this skill with the configured credentials may be able to send Feishu messages through the app's permissions.
The skill reads local Feishu app credentials and exchanges them for a tenant access token. This is disclosed and purpose-aligned, but it is still privileged account access.
feishu = config["channels"]["feishu"] app_id = feishu["appId"] app_secret = feishu["appSecret"] ... token = get_token(app_id, app_secret)
Use a least-privilege Feishu app, protect the OpenClaw config file, and run this only on a trusted machine.
Running the command can send a real Feishu voice message to another user.
The script sends an audio message to the supplied Feishu open_id. This matches the skill purpose, but it is an external account action.
"receive_id": open_id,
"msg_type": "audio",
...
f"{FEISHU_API}/im/v1/messages?receive_id_type=open_id"Confirm the recipient open_id and message text before running, and avoid unattended use with arbitrary inputs.
The behavior also depends on locally installed third-party tools, not only the reviewed script.
The documented setup relies on an unpinned Python package and an external ffmpeg binary, while no install spec or lockfile is provided.
pip install edge-tts `ffmpeg` 需要可执行(已加入 PATH)。
Install dependencies from trusted sources, consider pinning package versions, and verify ffmpeg/curl on the system path.
Text intended for speech and the resulting audio may be processed by external providers.
The workflow sends the user-provided text/audio through Edge TTS and Feishu APIs. This is disclosed and expected, but users should understand the data leaves the local machine.
1. `edge-tts` 生成 MP3 2. `ffmpeg` 转换为 OPUS(飞书语音格式) 3. 飞书 API 上传 OPUS 获取 `file_key` 4. 发送 `msg_type=audio` 消息
Do not use this skill for confidential content unless Microsoft Edge TTS and Feishu processing are acceptable for that data.