中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
xunfei-voice-reply
语音回复技能 - 使用讯飞 TTS 生成语音并发送到飞书
This is a legitimate iFlytek TTS integration skill that generates voice replies for Feishu. The pre-scan flagged base64 decoding as suspicious, but this is a false positive—it's standard decoding of audio data from the API response, not code obfuscation.
Skill Namexunfei-voice-reply
Duration37.5s
Enginepi
Safe to install
No action needed. The skill is safe to use with standard security practices (protect API credentials via environment variables).
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned WebSocket to tts-api.xfyun.cn (tts-core.js:44)
Shell WRITE WRITE ✓ Aligned execSync for ffmpeg (tts-core.js:78-83, voice-reply.js:31)
Filesystem READ READ ✓ Aligned Reads config.json (tts-config.js:14-16)
Filesystem WRITE WRITE ✓ Aligned Writes audio to /tmp/openclaw (tts-core.js:75-83)
Environment READ READ ✓ Aligned XUNFEI_APP_ID, XUNFEI_API_KEY, XUNFEI_API_SECRET (tts-config.js:32-34)
1 Critical 3 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(res.data.audio, 'base64'
lib/tts-core.js:73
🔗
Medium External URL 外部 URL
https://www.xfyun.cn/
references/setup.md:7
🔗
Medium External URL 外部 URL
https://www.xfyun.cn/doc/tts/online_tts/API.html
references/setup.md:66

File Tree

7 files · 24.2 KB · 691 lines
Markdown 3f · 450L JavaScript 3f · 223L JSON 1f · 18L
├─ 📁 lib
│ ├─ 📜 tts-config.js JavaScript 58L · 1.4 KB
│ └─ 📜 tts-core.js JavaScript 109L · 3.6 KB
├─ 📁 references
│ ├─ 📝 setup.md Markdown 127L · 2.4 KB
│ └─ 📝 voice-flow.md Markdown 184L · 12.0 KB
├─ 📁 scripts
│ └─ 📜 voice-reply.js JavaScript 56L · 1.5 KB
├─ 🔑 config.json JSON 18L · 389 B
└─ 📝 SKILL.md Markdown 139L · 3.1 KB

Security Positives

✓ All shell execution (execSync for ffmpeg) is documented in SKILL.md
✓ Network access is limited to legitimate iFlytek TTS API endpoint
✓ Base64 encoding is used correctly for binary audio data transmission over JSON WebSocket API
✓ Credentials are sourced from environment variables, not hardcoded
✓ Output directory uses standard temporary path /tmp/openclaw
✓ Comprehensive documentation matches implementation
✓ No hidden functionality detected
✓ Error handling properly documented (timeout, fallback to text)