中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
Feishu Audio Message
Send voice/audio messages to Feishu (Lark) users via Open API
Feishu audio/video messaging skill with fully documented functionality, legitimate API integration, and no malicious indicators.
Skill NameFeishu Audio Message
Duration33.5s
Enginepi
Safe to install
This skill is safe to use. No security concerns identified.
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned fs.readFileSync() used for local audio/video files only
Network READ WRITE ✓ Aligned Sends messages to Feishu API endpoints - necessary for messaging feature
Shell NONE WRITE ✓ Aligned execFileSync for ffmpeg/ffprobe; documented in SKILL.md as requirement
Environment READ READ ✓ Aligned Reads FEISHU_APP_ID, FEISHU_APP_SECRET - documented and necessary
5 findings
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal
SKILL.md:70
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/files
SKILL.md:75
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id
SKILL.md:86
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/images
scripts/send-video.mjs:191
🔗
Medium External URL 外部 URL
https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=$
scripts/send-video.mjs:264

File Tree

5 files · 26.8 KB · 969 lines
JavaScript 2f · 556L Markdown 2f · 358L Shell 1f · 55L
├─ 📁 scripts
│ ├─ 🔧 convert-audio.sh Shell 55L · 1.6 KB
│ ├─ 📜 send-video.mjs JavaScript 360L · 11.5 KB
│ └─ 📜 send-voice.mjs JavaScript 196L · 5.9 KB
├─ 📝 README.md Markdown 233L · 4.9 KB
└─ 📝 SKILL.md Markdown 125L · 2.9 KB

Security Positives

✓ All functionality explicitly documented in SKILL.md
✓ Network requests only to official Feishu API (open.feishu.cn)
✓ Shell execution uses controlled commands (ffmpeg/ffprobe) with fixed arguments
✓ Credentials used only for Feishu authentication, not exfiltrated
✓ No access to sensitive filesystem paths (~/.ssh, ~/.aws, .env)
✓ No obfuscation techniques (base64, eval, atob) detected
✓ Temp files created in os.tmpdir() with proper cleanup
✓ No data exfiltration beyond legitimate API calls