← Back to Skills Marketplace
124
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install feishu-voice-bot
Description
Send native voice bubbles via Feishu using edge-tts + ffmpeg. Converts text to OGG/Opus audio and sends as a playable blue voice bubble. Use when: (1) User s...
README (SKILL.md)
Feishu Voice Bubble
Send native voice bubbles (蓝色可播放气泡) via Feishu using bot identity.
Workflow
text → edge-tts (mp3) → ffmpeg (ogg/opus) → message tool (media=) → 原生气泡
Quick Usage
# One-liner via the helper script
node scripts/voice-bubble.mjs "你好陛下" --voice zh-CN-XiaoxiaoNeural
Or use the message tool directly after generating the audio:
# Step 1: Generate
cd ~/.openclaw/workspace/skills/edge-tts/scripts
node tts-converter.js "文本" --voice zh-CN-XiaoxiaoNeural --output /tmp/voice.mp3
# Step 2: Convert
ffmpeg -i /tmp/voice.mp3 -c:a libopus -b:a 32k /tmp/voice.ogg -y
# Step 3: Send via message tool
message(action=send, channel=feishu, target=\x3Copen_id_or_chat_id>, media=/tmp/voice.ogg)
Supported Voices
| 语言 | 语音 ID | 特点 |
|---|---|---|
| 中文 | zh-CN-XiaoxiaoNeural | 女声,自然 |
| 中文 | zh-CN-YunxiNeural | 男声,自然 |
| 英文 | en-US-AriaNeural | 女声 |
| 英文 | en-US-GuyNeural | 男声 |
Full list: node ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js --list-voices
Notes
- 无需用户 OAuth — 机器人身份 +
messagetool +media=即可发送原生气泡 - 格式 — 飞书要求 OGG/Opus 格式,edge-tts 输出 MP3,需 ffmpeg 转换
- 临时文件 — 生成的音频存于
/tmp/,不会自动清理 - 中文默认 — 未指定 voice 时使用
zh-CN-XiaoxiaoNeural
Usage Guidance
This skill appears to implement the advertised Feishu voice-bubble flow, but exercise caution before installing or running it:
- Command-injection risk: The helper script builds shell commands with user-supplied text via execSync(). Because the shell still performs command substitution inside double quotes, malicious input could run arbitrary commands. Don't run this skill on sensitive systems or accept untrusted input without fixing the code.
- Dependency mismatch: The metadata doesn't list required binaries (node, ffmpeg) or the dependency on the edge-tts skill file in ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. Verify those are present and trustworthy before use.
- Temp file hygiene: Audio files are written to /tmp and not cleaned up; if audio can contain sensitive content, consider deletion after sending.
Recommended mitigations before use:
1) Patch the script to avoid shell interpolation of user text — use child_process.execFile / spawn with argument arrays or pass the text via stdin or a temp file rather than embedding it in a shell command string.
2) Sanitize or escape characters that could trigger shell expansion (e.g., $, `, $( ), backticks) if you cannot change the invocation method.
3) Update the skill metadata to declare required binaries and the dependency on the edge-tts skill so installers know preconditions.
4) Add explicit cleanup of temporary files and consider a safer temp directory.
5) Only run this skill when you trust the edge-tts script and the environment; do not allow autonomous agent runs on systems with sensitive data until the injection issue is addressed.
If you want, I can produce a safe replacement of the helper script that uses execFile/spawn or writes input to a temp file to eliminate shell injection risk.
Capability Analysis
Type: OpenClaw Skill
Name: feishu-voice-bot
Version: 1.0.0
The skill facilitates sending voice messages to Feishu but contains a shell injection vulnerability in `scripts/voice-bubble.mjs`. The script uses `execSync` to call external tools (edge-tts and ffmpeg) and attempts to sanitize user input by only escaping double quotes, which is insufficient to prevent command execution via shell metacharacters like backticks or command substitution. This represents a high-risk vulnerability allowing for potential Remote Code Execution (RCE) if the agent processes untrusted user input.
Capability Assessment
Purpose & Capability
The code and SKILL.md align with the stated goal (text → edge-tts → ffmpeg → Feishu voice bubble). However the skill metadata declares no required binaries or env vars while the SKILL.md and script require node, ffmpeg, and the separate edge-tts skill script in ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. The missing dependency metadata is an inconsistency.
Instruction Scope
The runtime script execSync()s shell commands that incorporate user-provided text into a shell command string. Although double quotes are used, POSIX shells still perform command substitution inside double quotes (e.g., $(...), `...`, $VAR expansions), so an attacker-controlled text could trigger arbitrary shell commands when the agent or user supplies input. The SKILL.md also expects the agent to access another skill's script in the user's HOME workspace (reads process.env.HOME implicitly) and creates temp files in /tmp that are not cleaned up.
Install Mechanism
Instruction-only plus a small helper script; there is no install spec and nothing is written by the skill itself. This lowers install-time risk.
Credentials
The skill does not request credentials, which matches its purpose, but it implicitly relies on process.env.HOME and the presence of another skill file under the user's workspace. It also requires ffmpeg and node but does not declare them in metadata. No secrets are requested, which is appropriate, but relying on another skill's script path in the user's home directory is an implicit dependency that should be declared.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/persistent privileges. It does not modify other skills' config. Autonomous invocation remains allowed by platform default but is not combined here with unusual privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install feishu-voice-bot - After installation, invoke the skill by name or use
/feishu-voice-bot - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Send native voice bubbles via Feishu using edge-tts + ffmpeg. Bot identity, no OAuth required.
Metadata
Frequently Asked Questions
What is Feishu Voice Bot?
Send native voice bubbles via Feishu using edge-tts + ffmpeg. Converts text to OGG/Opus audio and sends as a playable blue voice bubble. Use when: (1) User s... It is an AI Agent Skill for Claude Code / OpenClaw, with 124 downloads so far.
How do I install Feishu Voice Bot?
Run "/install feishu-voice-bot" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Feishu Voice Bot free?
Yes, Feishu Voice Bot is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Feishu Voice Bot support?
Feishu Voice Bot is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Feishu Voice Bot?
It is built and maintained by cxzcy (@cxzcy); the current version is v1.0.0.
More Skills