中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
feishu-voice
飞书语音消息收发:接收语音自动转文字(飞书原生 Transcript + Whisper 降级),回复语音由 MiniMax T2A 合成后发送
Legitimate Feishu voice message skill with properly documented subprocess usage and API calls; no hidden functionality or security concerns identified.
Skill Namefeishu-voice
Duration25.6s
Enginepi
Safe to install
No action needed. Consider pinning the requests library version for better supply chain hygiene.

Findings 1 items

Severity Finding Location
Low
Unpinned requests dependency Supply Chain
The requests library is used without version pinning, which could lead to unexpected behavior if a malicious version is installed.
import requests
→ Add version pinning: requests>=2.31.0 or requests==2.31.0
 scripts/send_voice.py:7
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned tempfile usage in send_voice.py:20
Shell WRITE WRITE ✓ Aligned subprocess.run ffmpeg in send_voice.py:42
Environment READ READ ✓ Aligned MINIMAX_API_KEY read in send_voice.py:24
Network READ READ ✓ Aligned POST to api.minimaxi.com in send_voice.py:35
1 findings
🔗
Medium External URL 外部 URL
https://api.minimaxi.com/v1/t2a_v2
SKILL.md:55

File Tree

2 files · 5.4 KB · 170 lines
Markdown 1f · 108L Python 1f · 62L
├─ 📁 scripts
│ └─ 🐍 send_voice.py Python 62L · 2.2 KB
└─ 📝 SKILL.md Markdown 108L · 3.1 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
requests * pip No Version not pinned

Security Positives

✓ All subprocess execution (ffmpeg) is explicitly documented in SKILL.md
✓ API key access is explicitly declared and scoped to MINIMAX_API_KEY only
✓ No credential exfiltration or data theft observed
✓ No obfuscation techniques (base64, eval, atob) detected
✓ Network calls use domain names, not direct IP addresses
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ Code matches documentation - no doc-to-code mismatch
✓ Legitimate audio processing workflow: TTS → format conversion → send