← Back to Skills Marketplace
122
Downloads
0
Stars
0
Active Installs
10
Versions
Install in OpenClaw
/install minimax-feishu-music
Description
Generate themed music with lyrics using MiniMax music-2.6 and send as a high-quality MP3 audio attachment to a Feishu user.
Usage Guidance
This skill's purpose (generate music and send to Feishu) is reasonable, but the helper script reads your OpenClaw config (~/.openclaw/openclaw.json) to pull Feishu app_id/app_secret without documenting that behavior — that file may contain sensitive credentials. Before installing or running: 1) verify the author/source (unknown here); 2) inspect ~/.openclaw/openclaw.json to confirm what secrets are stored and whether you want them accessed; 3) consider running the script in an isolated environment or sandbox; 4) ask the maintainer why the script fetches Feishu credentials directly (the script also calls openclaw CLI to send the file, so direct credential use looks redundant and may be a bug); and 5) if you don't want the skill to access your OpenClaw credentials, modify the script to rely solely on the openclaw CLI or explicitly document and approve the credential use. If you cannot validate the source or reason for the extra access, avoid installing or running this skill with real credentials.
Capability Analysis
Type: OpenClaw Skill
Name: minimax-feishu-music
Version: 1.4.0
The skill script `send_feishu_music.py` contains a path traversal vulnerability in the `save_to_workspace` function, as it uses the user-provided `--title` argument to construct a file path without sanitization, potentially allowing arbitrary file writes. Additionally, the script accesses the main OpenClaw configuration file (`~/.openclaw/openclaw.json`) to extract sensitive Feishu credentials (appId/appSecret), which is a high-privilege action. While these behaviors support the stated goal of generating and sending music, the lack of input validation and broad access to system secrets pose a security risk in an agentic environment.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (generate music and send to Feishu) aligns with the included script and APIs (MiniMax and Feishu). The skill legitimately needs a MiniMax API key (documented in music_config.json) and some way to send to Feishu. However, the script reads ~/.openclaw/openclaw.json to extract Feishu app_id/app_secret even though SKILL.md does not document needing or creating that file; this is an unexplained requirement.
Instruction Scope
SKILL.md documents creating music_config.json and running the script, and mentions using openclaw to send the file. It does NOT mention that the script will read ~/.openclaw/openclaw.json to extract Feishu app credentials and call Feishu's token endpoint. The code therefore accesses additional local config/credentials that are not declared in the instructions — scope creep and a surprise to users.
Install Mechanism
No install spec; this is an instruction-only skill with a helper script. Nothing is written to disk by an installer. The script does write generated MP3s to ~/.openclaw/workspace/songs (expected for workspace artifacts).
Credentials
The skill documents the MiniMax API key in music_config.json (proportionate). It does not document or declare access to OpenClaw's main config (~/.openclaw/openclaw.json), which the script reads to extract Feishu appId/appSecret. Requesting those credentials is potentially reasonable for sending messages, but the absence of any mention in SKILL.md is an unexplained and disproportionate access to local credentials. Additionally, the script retrieves a Feishu tenant token but then uses the openclaw CLI to send the message, making the direct credential access redundant and suspicious (could be accidental or a code smell).
Persistence & Privilege
Skill does not request always:true, has no install step that modifies other skills, and does not persist new agent-wide configuration. It writes output files to the user's workspace only (expected).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install minimax-feishu-music - After installation, invoke the skill by name or use
/minimax-feishu-music - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.4.0
Add music-cover mode: --cover parameter for reference audio, lyrics-swap functionality, updated examples and documentation
v1.3.1
Fix script example lyrics: remove all descriptions, use real singable lyrics with proper structure
v1.3.0
Fix example lyrics: remove descriptions, use real singable lyrics with (Ooh-ooh) style, Verse 1/2 numbering, proper structure
v1.2.1
Remove response time note (not an API parameter); config placeholder only
v1.2.0
Rewrite song structure section: remove fixed templates, use content-driven structure selection based on lyrics and emotional rhythm
v1.1.1
Remove API key from published package, config now placeholder
v1.1.0
Add complete lyrics structure tags documentation, full song structure example, all 14 tags explained
v1.0.2
Fix: remove user's real open_id from public examples
v1.0.1
Fix: replace private lyrics in script docstring with test example
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is MiniMax Feishu Music?
Generate themed music with lyrics using MiniMax music-2.6 and send as a high-quality MP3 audio attachment to a Feishu user. It is an AI Agent Skill for Claude Code / OpenClaw, with 122 downloads so far.
How do I install MiniMax Feishu Music?
Run "/install minimax-feishu-music" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is MiniMax Feishu Music free?
Yes, MiniMax Feishu Music is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does MiniMax Feishu Music support?
MiniMax Feishu Music is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created MiniMax Feishu Music?
It is built and maintained by xRay (@raydoomed); the current version is v1.4.0.
More Skills