← 返回 Skills 市场

Feishu Voice (ElevenLabs)

Name: Feishu Voice (ElevenLabs)
Author: dongdongbear

作者 DongDong · GitHub ↗ · v1.1.0

cross-platform ⚠ suspicious

489

总下载

当前安装

版本数

在 OpenClaw 中安装

/install feishu-voice-elevenlabs

功能描述

Send and receive voice messages on Feishu (Lark) using ElevenLabs TTS and STT. Activate when user asks to send a voice message on Feishu, or when receiving a...

使用说明 (SKILL.md)

Feishu Voice (TTS + STT)

Send voice messages and transcribe received voice messages on Feishu using ElevenLabs.

Prerequisites

sag CLI (ElevenLabs TTS): npm i -g sag or go install
ffmpeg / ffprobe: brew install ffmpeg
ElevenLabs paid plan (required for library voices)
Feishu app with im:message:send_as_bot and im:file permissions

Environment Variables

Variable	Required	Description
`ELEVENLABS_API_KEY`	✅	ElevenLabs API key
`FEISHU_APP_ID`	✅ (TTS)	Feishu app ID
`FEISHU_APP_SECRET`	✅ (TTS)	Feishu app secret
`ELEVENLABS_VOICE_ID`	✅ (TTS)	Voice ID (browse at elevenlabs.io/voice-library)
`ELEVENLABS_MODEL_ID`	✅ (TTS)	Model ID (e.g. `eleven_multilingual_v2`, `eleven_v3`)
`ELEVENLABS_SPEED`	❌	Speech speed 0.5-2.0 (default: 1.0)

If FEISHU_APP_ID / FEISHU_APP_SECRET are not in env, extract from openclaw config:

export FEISHU_APP_ID=$(python3 -c "import json; print(json.load(open('$HOME/.openclaw/openclaw.json'))['channels']['feishu']['appId'])")
export FEISHU_APP_SECRET=$(python3 -c "import json; print(json.load(open('$HOME/.openclaw/openclaw.json'))['channels']['feishu']['appSecret'])")

Voice Selection

See config/voice-config.example.json for a curated voice list. Browse all voices at https://elevenlabs.io/voice-library or run sag voices.

Recommended models:

eleven_multilingual_v2 — best for Chinese and multilingual content
eleven_v3 — latest English-optimized model

Sending Voice Messages (TTS)

scripts/feishu-voice-send.sh \x3Ctext> \x3Creceive_id> [receive_id_type] [speed]

receive_id: target user open_id or chat_id
receive_id_type: open_id (default) or chat_id
speed: speech speed multiplier, 0.5-2.0 (default: 1.0)

Receiving Voice Messages (STT)

When OpenClaw delivers a Feishu voice message, it arrives as a media attachment (.ogg file). Transcribe with:

scripts/feishu-voice-stt.sh /path/to/audio.ogg

Returns recognized text to stdout. Uses ElevenLabs scribe_v1 model with automatic language detection.

Fallback: Download via Feishu API

If the audio file is not delivered as an attachment (only file_key available):

List recent messages: GET /im/v1/messages?container_id_type=chat&container_id=CHAT_ID&page_size=5&sort_type=ByCreateTimeDesc
Download audio: GET /im/v1/messages/{message_id}/resources/{file_key}?type=file
Run STT script on the downloaded file

Smart Reply Mode

When receiving messages, follow this pattern for natural conversation:

Voice message received → transcribe with STT → understand → reply with voice (TTS)
Text message received → understand → reply with text
Override: user can request voice/text reply explicitly

Important Notes

Feishu msg_type must be "audio" — not "media" or "file"
OpenClaw's message tool asVoice does not work correctly for Feishu — use this script instead
STT uses ElevenLabs scribe_v1 model, supports Chinese, English, and 90+ languages
For free ElevenLabs accounts, only premade voices work; library voices require a paid plan

安全使用建议

This skill appears to implement the claimed Feishu TTS/STT functionality, but note two issues before installing: (1) The registry metadata claims no required env vars while SKILL.md and the scripts require multiple secrets (ElevenLabs API key and Feishu app credentials). Don't trust the metadata alone — verify and supply only the minimum credentials. (2) SKILL.md suggests extracting FEISHU_APP_ID/FEISHU_APP_SECRET from $HOME/.openclaw/openclaw.json; inspect that file manually to ensure it contains only the expected Feishu fields and no other sensitive tokens before running the provided extraction snippet. Additional precautions: verify the origin of the 'sag' CLI before installing (npm/go), run the scripts in a restricted environment or container if possible, and consider creating Feishu credentials with limited scope/permissions for this integration.

功能分析

Type: OpenClaw Skill Name: feishu-voice-elevenlabs Version: 1.1.0 The skill's core functionality for Feishu voice integration is legitimate, but it exhibits several critical vulnerabilities. The `SKILL.md` instructs the AI agent to execute a shell command to read sensitive configuration from `$HOME/.openclaw/openclaw.json`, which is a risky local file access pattern that could be exploited via prompt injection. Furthermore, `scripts/feishu-voice-send.sh` is vulnerable to shell injection via unsanitized `$TEXT` input to `sag speak` and JSON injection via unsanitized `$RECEIVE_ID` in its `curl` payload. `scripts/feishu-voice-stt.sh` is also vulnerable to shell injection due to direct use of unsanitized `$AUDIO_FILE` in a `curl -F` command. These are significant input sanitization flaws that could lead to arbitrary command execution or data manipulation, classifying the skill as suspicious due to these vulnerabilities.

能力评估

⚠ Purpose & Capability

The SKILL.md and included scripts clearly require ElevenLabs and Feishu credentials (ELEVENLABS_API_KEY, FEISHU_APP_ID, FEISHU_APP_SECRET, ELEVENLABS_VOICE_ID, ELEVENLABS_MODEL_ID). However registry metadata reported "Required env vars: none" and "Primary credential: none", which is inconsistent with the files. The requested env vars are appropriate for the declared purpose, but the metadata mismatch is misleading and should be corrected.

ℹ Instruction Scope

Runtime instructions and scripts perform exactly the expected actions: call ElevenLabs TTS/STT, convert audio with ffmpeg, obtain tenant_access_token from Feishu API, upload and send audio. SKILL.md also recommends installing 'sag' and ffmpeg. One instruction suggests extracting FEISHU_APP_ID / FEISHU_APP_SECRET from $HOME/.openclaw/openclaw.json; the scripts themselves do not automatically read that file but the doc gives a snippet to export these values — this reads local OpenClaw config and is functionally relevant but worth flagging because it touches a local config file that may contain other secrets if misused.

✓ Install Mechanism

The skill is instruction-only with small helper scripts; there is no install spec. It depends on external CLI binaries (sag, ffmpeg/ffprobe). That is reasonable for a script-based integration, but users should confirm the provenance of 'sag' (npm or go install) before installing from package registries.

⚠ Credentials

The required environment variables (ElevenLabs API key, ElevenLabs voice/model IDs, Feishu app ID/secret) are proportionate to the feature. Concern arises because the public metadata did not declare these required secrets, and because the README suggests extracting FEISHU_APP_ID/FEISHU_APP_SECRET from ~/.openclaw/openclaw.json — accessing a local agent config can expose credentials if the file contains other tokens or if the extraction is run blindly. The scripts themselves only use the specific Feishu fields, but the guidance to programmatically read local config increases risk if run without inspection.

✓ Persistence & Privilege

The skill does not request 'always: true', does not modify other skills or system-wide settings, and contains only runtime scripts. Autonomous invocation remains enabled by default (platform standard) but does not combine with other high privileges here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install feishu-voice-elevenlabs
安装完成后，直接呼叫该 Skill 的名称或使用 /feishu-voice-elevenlabs 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

v1.1.0: Added speed control, voice config example, smart reply mode guidance

v1.0.0

Initial release: TTS send + STT receive for Feishu voice messages via ElevenLabs

元数据

Slug feishu-voice-elevenlabs

版本 1.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 2

常见问题