通过飞书Open API发送语音消息,支持文本转语音和上传多格式音频文件,自动转换为opus格式发送。
Security Analysis
high confidenceThe skill code matches its stated purpose (send Feishu audio messages) but the package metadata fails to declare required credentials (FEISHU_APP_ID/FEISHU_APP_SECRET) and thus the manifest is internally inconsistent.
The script's functionality (TTS -> convert -> upload -> send via Feishu Open API) matches the skill name and description. The Feishu APP ID/SECRET it uses are appropriate for this purpose. However, the registry metadata declares no required environment variables or primary credential even though the script requires FEISHU_APP_ID and FEISHU_APP_SECRET (or equivalent entries in ~/.openclaw/.env or ~/.openclaw/openclaw.json). This omission is an inconsistency in the manifest.
SKILL.md and send-voice.sh limit actions to generating/transforming audio, reading credentials (env or two ~/.openclaw paths), calling local tools (edge-tts, ffmpeg, curl, optional jq), and POSTing to open.feishu.cn endpoints. The script does not attempt to read unrelated system files, network endpoints beyond Feishu, or exfiltrate data to other hosts.
No install spec (instruction-only + an included script). Dependencies are local binaries and a pip package (edge-tts). There are no downloads or archive extraction steps in the skill itself. Risk level is low for install mechanism.
The script legitimately needs FEISHU_APP_ID and FEISHU_APP_SECRET to call Feishu APIs and looks for them in environment variables or in ~/.openclaw/.env and ~/.openclaw/openclaw.json. The skill registry, however, declares no required env/primary credential. Requiring secrets but not declaring them in metadata is a meaningful discrepancy and could lead to surprise credential access (the script will read dotfiles in the user's home).
always:false (no forced persistent presence). The skill does not modify other skills, does not attempt to persist its own credentials beyond reading them, and only creates temporary files under /tmp for conversion — behavior is proportional to its purpose.
Guidance
This script appears to do what it says (TTS -> convert -> upload -> send to Feishu), but the package metadata omitted the fact it requires Feishu credentials. Before installing or running: 1) Review the script (already included) and confirm you trust its Feishu API calls to open.feishu.cn. 2) Provide FEISHU_APP_ID and FEISHU_APP_SECRET via environment variables rather than dropping them into shared config files, or verify ~/.openclaw/.env and ~/.openclaw/openclaw.json contain only intended values. 3) Run edge-tts inside a virtualenv and ensure ffmpeg is from a trusted package manager. 4) Because the manifest didn't declare required secrets, be cautious about automated installs or agents that auto-provide credentials — prefer manual invocation. 5) If you need higher assurance, ask the publisher for a signed source or publish origin (homepage) and an explicit manifest that lists required env vars and permissions.
Latest Release
v1.0.0
**feishu-voice 1.0.0** - 重构说明文档,简化为更实用的快速指南和参数表,突出一键发送用法。 - 新增 `.env.example` 环境变量模板,便于快速配置。 - 新增 `send-voice.sh` 脚本,整合文字转语音与音频文件发送流程。 - 移除旧版 `README.md`、`package.json` 及冗余脚本,优化结构。 - 跳转 TTS 依赖至 `edge-tts`,明确依赖环境及安装指令。
Popular Skills
Published by @michael-c-matias on ClawHub
