← Back to Skills Marketplace

Wecom Voice

Name: Wecom Voice
Author: fanqisyx

by fanqi · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

378

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install wecom-voice

Description

Send native voice messages to WeCom using Windows TTS. Converts text to speech and sends as voice message (not audio file).

Usage Guidance

This skill appears to do what it says (generate Windows TTS → convert → send via your OpenClaw CLI), but there are a few inconsistencies you should consider before installing or running it: - The script will execute a temporary PowerShell script (created under ~/.openclaw/media/inbound) and run ffmpeg and the openclaw CLI on your machine. Review the code and be comfortable with those actions. - The SKILL.md claims FFmpeg should be in PATH, but the code uses a hardcoded FFMPEG path under AppData/WinGet. If that path doesn't exist, the conversion will fail. Consider editing the script to use ffmpeg from PATH or make the ffmpeg path configurable. - The script calls 'openclaw message send' — it relies on your existing OpenClaw CLI configuration/credentials. Ensure you trust the CLI configuration and the target recipient before allowing the skill to run. If you want this skill but are cautious: manually inspect or run the script in a controlled environment (or modify it to use ffmpeg from PATH and to log less or prompt before sending). If the script started contacting unknown network endpoints, requested unrelated credentials, or attempted to read other user files, the assessment would be more severe.

Capability Analysis

Type: OpenClaw Skill Name: wecom-voice Version: 1.0.0 The skill contains multiple command injection vulnerabilities in `scripts/send-voice.cjs`. It unsafely interpolates user-provided arguments (`text` and `targetUser`) into shell commands and a PowerShell script executed with `-ExecutionPolicy Bypass`. While the script's logic aligns with its stated purpose of sending WeCom voice messages, the lack of input sanitization allows for arbitrary code execution. No clear evidence of intentional malice or data exfiltration was found, but the implementation is highly insecure.

Capability Assessment

⚠ Purpose & Capability

The skill claims to convert text to AMR and send as a WeCom voice message — the script does exactly that. However the SKILL.md says "FFmpeg in PATH" while the script uses a hardcoded FFMPEG path under AppData/WinGet; SKILL.md does not list the openclaw CLI or PowerShell as required binaries even though the script calls both. These mismatches are disproportionate to the stated simple purpose and could cause unexpected behavior.

ℹ Instruction Scope

Instructions and script stay within the stated task: generate WAV via Windows System.Speech, convert with FFmpeg, and call 'openclaw message send' to deliver the AMR. The script writes a temporary PowerShell file into the media inbound directory and executes it, and it relies on the presence/configuration of the openclaw CLI (which will supply credentials implicitly). It does not read unrelated user files or transmit data to unknown endpoints.

✓ Install Mechanism

No install spec (instruction-only plus one script) — lowest install risk. Nothing is being downloaded or extracted by the skill itself.

ℹ Credentials

The skill declares no required env vars, which is consistent with relying on local TTS and the user's existing OpenClaw CLI configuration. However the script implicitly depends on external binaries (PowerShell, FFmpeg, openclaw CLI) and uses a very specific hardcoded FFmpeg location instead of PATH; it will therefore rely on existing credentials/configuration held by the openclaw CLI without declaring them.

✓ Persistence & Privilege

The skill is not marked always:true, does not request persistent system changes, and does not modify other skills or system-wide settings. It just writes temporary and output files into the user's ~/.openclaw/media/inbound directory.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install wecom-voice
After installation, invoke the skill by name or use /wecom-voice
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of wecom-voice. - Send native voice messages to WeCom (企业微信) using Windows TTS. - Converts input text to speech with Microsoft Huihui and outputs AMR format (native voice message). - Requires Windows System.Speech and FFmpeg. - CLI tool can target individual users. - Integrates with OpenClaw for message delivery.

Metadata

Slug wecom-voice

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Wecom Voice?

Send native voice messages to WeCom using Windows TTS. Converts text to speech and sends as voice message (not audio file). It is an AI Agent Skill for Claude Code / OpenClaw, with 378 downloads so far.

How do I install Wecom Voice?

Run "/install wecom-voice" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Wecom Voice free?

Yes, Wecom Voice is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Wecom Voice support?

Wecom Voice is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Wecom Voice?

It is built and maintained by fanqi (@fanqisyx); the current version is v1.0.0.

More Skills