← 返回 Skills 市场
cxzcy

Feishu Voice Bot

作者 cxzcy · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
124
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install feishu-voice-bot
功能描述
Send native voice bubbles via Feishu using edge-tts + ffmpeg. Converts text to OGG/Opus audio and sends as a playable blue voice bubble. Use when: (1) User s...
使用说明 (SKILL.md)

Feishu Voice Bubble

Send native voice bubbles (蓝色可播放气泡) via Feishu using bot identity.

Workflow

text → edge-tts (mp3) → ffmpeg (ogg/opus) → message tool (media=) → 原生气泡

Quick Usage

# One-liner via the helper script
node scripts/voice-bubble.mjs "你好陛下" --voice zh-CN-XiaoxiaoNeural

Or use the message tool directly after generating the audio:

# Step 1: Generate
cd ~/.openclaw/workspace/skills/edge-tts/scripts
node tts-converter.js "文本" --voice zh-CN-XiaoxiaoNeural --output /tmp/voice.mp3

# Step 2: Convert
ffmpeg -i /tmp/voice.mp3 -c:a libopus -b:a 32k /tmp/voice.ogg -y

# Step 3: Send via message tool
message(action=send, channel=feishu, target=\x3Copen_id_or_chat_id>, media=/tmp/voice.ogg)

Supported Voices

语言 语音 ID 特点
中文 zh-CN-XiaoxiaoNeural 女声,自然
中文 zh-CN-YunxiNeural 男声,自然
英文 en-US-AriaNeural 女声
英文 en-US-GuyNeural 男声

Full list: node ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js --list-voices

Notes

  • 无需用户 OAuth — 机器人身份 + message tool + media= 即可发送原生气泡
  • 格式 — 飞书要求 OGG/Opus 格式,edge-tts 输出 MP3,需 ffmpeg 转换
  • 临时文件 — 生成的音频存于 /tmp/,不会自动清理
  • 中文默认 — 未指定 voice 时使用 zh-CN-XiaoxiaoNeural
安全使用建议
This skill appears to implement the advertised Feishu voice-bubble flow, but exercise caution before installing or running it: - Command-injection risk: The helper script builds shell commands with user-supplied text via execSync(). Because the shell still performs command substitution inside double quotes, malicious input could run arbitrary commands. Don't run this skill on sensitive systems or accept untrusted input without fixing the code. - Dependency mismatch: The metadata doesn't list required binaries (node, ffmpeg) or the dependency on the edge-tts skill file in ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. Verify those are present and trustworthy before use. - Temp file hygiene: Audio files are written to /tmp and not cleaned up; if audio can contain sensitive content, consider deletion after sending. Recommended mitigations before use: 1) Patch the script to avoid shell interpolation of user text — use child_process.execFile / spawn with argument arrays or pass the text via stdin or a temp file rather than embedding it in a shell command string. 2) Sanitize or escape characters that could trigger shell expansion (e.g., $, `, $( ), backticks) if you cannot change the invocation method. 3) Update the skill metadata to declare required binaries and the dependency on the edge-tts skill so installers know preconditions. 4) Add explicit cleanup of temporary files and consider a safer temp directory. 5) Only run this skill when you trust the edge-tts script and the environment; do not allow autonomous agent runs on systems with sensitive data until the injection issue is addressed. If you want, I can produce a safe replacement of the helper script that uses execFile/spawn or writes input to a temp file to eliminate shell injection risk.
功能分析
Type: OpenClaw Skill Name: feishu-voice-bot Version: 1.0.0 The skill facilitates sending voice messages to Feishu but contains a shell injection vulnerability in `scripts/voice-bubble.mjs`. The script uses `execSync` to call external tools (edge-tts and ffmpeg) and attempts to sanitize user input by only escaping double quotes, which is insufficient to prevent command execution via shell metacharacters like backticks or command substitution. This represents a high-risk vulnerability allowing for potential Remote Code Execution (RCE) if the agent processes untrusted user input.
能力评估
Purpose & Capability
The code and SKILL.md align with the stated goal (text → edge-tts → ffmpeg → Feishu voice bubble). However the skill metadata declares no required binaries or env vars while the SKILL.md and script require node, ffmpeg, and the separate edge-tts skill script in ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. The missing dependency metadata is an inconsistency.
Instruction Scope
The runtime script execSync()s shell commands that incorporate user-provided text into a shell command string. Although double quotes are used, POSIX shells still perform command substitution inside double quotes (e.g., $(...), `...`, $VAR expansions), so an attacker-controlled text could trigger arbitrary shell commands when the agent or user supplies input. The SKILL.md also expects the agent to access another skill's script in the user's HOME workspace (reads process.env.HOME implicitly) and creates temp files in /tmp that are not cleaned up.
Install Mechanism
Instruction-only plus a small helper script; there is no install spec and nothing is written by the skill itself. This lowers install-time risk.
Credentials
The skill does not request credentials, which matches its purpose, but it implicitly relies on process.env.HOME and the presence of another skill file under the user's workspace. It also requires ffmpeg and node but does not declare them in metadata. No secrets are requested, which is appropriate, but relying on another skill's script path in the user's home directory is an implicit dependency that should be declared.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/persistent privileges. It does not modify other skills' config. Autonomous invocation remains allowed by platform default but is not combined here with unusual privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install feishu-voice-bot
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /feishu-voice-bot 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Send native voice bubbles via Feishu using edge-tts + ffmpeg. Bot identity, no OAuth required.
元数据
Slug feishu-voice-bot
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Feishu Voice Bot 是什么?

Send native voice bubbles via Feishu using edge-tts + ffmpeg. Converts text to OGG/Opus audio and sends as a playable blue voice bubble. Use when: (1) User s... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 124 次。

如何安装 Feishu Voice Bot?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install feishu-voice-bot」即可一键安装,无需额外配置。

Feishu Voice Bot 是免费的吗?

是的,Feishu Voice Bot 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Feishu Voice Bot 支持哪些平台?

Feishu Voice Bot 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Feishu Voice Bot?

由 cxzcy(@cxzcy)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论