← 返回 Skills 市场

MiniMax Feishu Music

Name: MiniMax Feishu Music
Author: raydoomed

作者 xRay · GitHub ↗ · v1.4.0 · MIT-0

cross-platform ⚠ suspicious

122

总下载

当前安装

版本数

在 OpenClaw 中安装

/install minimax-feishu-music

功能描述

Generate themed music with lyrics using MiniMax music-2.6 and send as a high-quality MP3 audio attachment to a Feishu user.

安全使用建议

This skill's purpose (generate music and send to Feishu) is reasonable, but the helper script reads your OpenClaw config (~/.openclaw/openclaw.json) to pull Feishu app_id/app_secret without documenting that behavior — that file may contain sensitive credentials. Before installing or running: 1) verify the author/source (unknown here); 2) inspect ~/.openclaw/openclaw.json to confirm what secrets are stored and whether you want them accessed; 3) consider running the script in an isolated environment or sandbox; 4) ask the maintainer why the script fetches Feishu credentials directly (the script also calls openclaw CLI to send the file, so direct credential use looks redundant and may be a bug); and 5) if you don't want the skill to access your OpenClaw credentials, modify the script to rely solely on the openclaw CLI or explicitly document and approve the credential use. If you cannot validate the source or reason for the extra access, avoid installing or running this skill with real credentials.

功能分析

Type: OpenClaw Skill Name: minimax-feishu-music Version: 1.4.0 The skill script `send_feishu_music.py` contains a path traversal vulnerability in the `save_to_workspace` function, as it uses the user-provided `--title` argument to construct a file path without sanitization, potentially allowing arbitrary file writes. Additionally, the script accesses the main OpenClaw configuration file (`~/.openclaw/openclaw.json`) to extract sensitive Feishu credentials (appId/appSecret), which is a high-privilege action. While these behaviors support the stated goal of generating and sending music, the lack of input validation and broad access to system secrets pose a security risk in an agentic environment.

能力标签

cryptorequires-oauth-token

能力评估

ℹ Purpose & Capability

Name/description (generate music and send to Feishu) aligns with the included script and APIs (MiniMax and Feishu). The skill legitimately needs a MiniMax API key (documented in music_config.json) and some way to send to Feishu. However, the script reads ~/.openclaw/openclaw.json to extract Feishu app_id/app_secret even though SKILL.md does not document needing or creating that file; this is an unexplained requirement.

⚠ Instruction Scope

SKILL.md documents creating music_config.json and running the script, and mentions using openclaw to send the file. It does NOT mention that the script will read ~/.openclaw/openclaw.json to extract Feishu app credentials and call Feishu's token endpoint. The code therefore accesses additional local config/credentials that are not declared in the instructions — scope creep and a surprise to users.

✓ Install Mechanism

No install spec; this is an instruction-only skill with a helper script. Nothing is written to disk by an installer. The script does write generated MP3s to ~/.openclaw/workspace/songs (expected for workspace artifacts).

⚠ Credentials

The skill documents the MiniMax API key in music_config.json (proportionate). It does not document or declare access to OpenClaw's main config (~/.openclaw/openclaw.json), which the script reads to extract Feishu appId/appSecret. Requesting those credentials is potentially reasonable for sending messages, but the absence of any mention in SKILL.md is an unexplained and disproportionate access to local credentials. Additionally, the script retrieves a Feishu tenant token but then uses the openclaw CLI to send the message, making the direct credential access redundant and suspicious (could be accidental or a code smell).

✓ Persistence & Privilege

Skill does not request always:true, has no install step that modifies other skills, and does not persist new agent-wide configuration. It writes output files to the user's workspace only (expected).

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install minimax-feishu-music
安装完成后，直接呼叫该 Skill 的名称或使用 /minimax-feishu-music 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.4.0

Add music-cover mode: --cover parameter for reference audio, lyrics-swap functionality, updated examples and documentation

v1.3.1

Fix script example lyrics: remove all descriptions, use real singable lyrics with proper structure

v1.3.0

Fix example lyrics: remove descriptions, use real singable lyrics with (Ooh-ooh) style, Verse 1/2 numbering, proper structure

v1.2.1

Remove response time note (not an API parameter); config placeholder only

v1.2.0

Rewrite song structure section: remove fixed templates, use content-driven structure selection based on lyrics and emotional rhythm

v1.1.1

Remove API key from published package, config now placeholder

v1.1.0

Add complete lyrics structure tags documentation, full song structure example, all 14 tags explained

v1.0.2

Fix: remove user's real open_id from public examples

v1.0.1

Fix: replace private lyrics in script docstring with test example

v1.0.0

Initial release

元数据

Slug minimax-feishu-music

版本 1.4.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 10

常见问题

MiniMax Feishu Music 是什么？

Generate themed music with lyrics using MiniMax music-2.6 and send as a high-quality MP3 audio attachment to a Feishu user. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 122 次。

如何安装 MiniMax Feishu Music？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install minimax-feishu-music」即可一键安装，无需额外配置。

MiniMax Feishu Music 是免费的吗？

是的，MiniMax Feishu Music 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

MiniMax Feishu Music 支持哪些平台？

MiniMax Feishu Music 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 MiniMax Feishu Music？

由 xRay（@raydoomed）开发并维护，当前版本 v1.4.0。