扫描报告
5 /100
xunfei-voice-reply
语音回复技能 - 使用讯飞 TTS 生成语音并发送到飞书
This is a legitimate iFlytek TTS integration skill that generates voice replies for Feishu. The pre-scan flagged base64 decoding as suspicious, but this is a false positive—it's standard decoding of audio data from the API response, not code obfuscation.
可以安装
No action needed. The skill is safe to use with standard security practices (protect API credentials via environment variables).
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | WebSocket to tts-api.xfyun.cn (tts-core.js:44) |
| 命令执行 | WRITE | WRITE | ✓ 一致 | execSync for ffmpeg (tts-core.js:78-83, voice-reply.js:31) |
| 文件系统 | READ | READ | ✓ 一致 | Reads config.json (tts-config.js:14-16) |
| 文件系统 | WRITE | WRITE | ✓ 一致 | Writes audio to /tmp/openclaw (tts-core.js:75-83) |
| 环境变量 | READ | READ | ✓ 一致 | XUNFEI_APP_ID, XUNFEI_API_KEY, XUNFEI_API_SECRET (tts-config.js:32-34) |
1 严重 3 项发现
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(res.data.audio, 'base64' lib/tts-core.js:73 中危 外部 URL 外部 URL
https://www.xfyun.cn/ references/setup.md:7 中危 外部 URL 外部 URL
https://www.xfyun.cn/doc/tts/online_tts/API.html references/setup.md:66 目录结构
7 文件 · 24.2 KB · 691 行 Markdown 3f · 450L
JavaScript 3f · 223L
JSON 1f · 18L
├─
▾
lib
│ ├─
tts-config.js
JavaScript
│ └─
tts-core.js
JavaScript
├─
▾
references
│ ├─
setup.md
Markdown
│ └─
voice-flow.md
Markdown
├─
▾
scripts
│ └─
voice-reply.js
JavaScript
├─
config.json
⚠
JSON
└─
SKILL.md
Markdown
安全亮点
✓ All shell execution (execSync for ffmpeg) is documented in SKILL.md
✓ Network access is limited to legitimate iFlytek TTS API endpoint
✓ Base64 encoding is used correctly for binary audio data transmission over JSON WebSocket API
✓ Credentials are sourced from environment variables, not hardcoded
✓ Output directory uses standard temporary path /tmp/openclaw
✓ Comprehensive documentation matches implementation
✓ No hidden functionality detected
✓ Error handling properly documented (timeout, fallback to text)