ClawHub

Voice Memo

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can send real iMessages through a local private API and its activation/default-recipient behavior is too broad for that level of authority.

Review before installing. Only use this if you are comfortable sending message text to ElevenLabs and allowing BlueBubbles Private API to send iMessages from your machine. Configure a strong BlueBubbles password, bind it to localhost where possible, remove the hardcoded default recipient, and require explicit confirmation of the recipient and message before every send.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly instructs users to run a shell script and declares required binaries and credentials, yet it does not declare corresponding permissions. This weakens platform trust and review controls because the skill can invoke shell-based actions and external services without an explicit permission boundary, increasing the chance of unexpected command execution or secret use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to send message text to ElevenLabs for TTS generation and to use BlueBubbles with Private API enabled, but it does not clearly warn that message content leaves the local system, that credentials are required, or that enabling private API access can expand account/system risk. In an agent skill that may be invoked on behalf of a user, the lack of explicit privacy and security disclosure increases the chance of unintentional sensitive-data transmission or unsafe deployment.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation guidance is broad enough to match many ordinary requests such as summaries, storytelling, or anything 'more engaging than text,' which can cause the agent to activate the skill in situations the user did not clearly intend. Because this skill sends outbound iMessages and generates audio via third-party services, accidental activation could transmit private content or trigger actions with real-world effects.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes generating audio through ElevenLabs, sending it through BlueBubbles/iMessage, and transcribing incoming voice memos, but it lacks a prominent user-facing privacy warning about third-party processing, message delivery, and transcription handling. Users may unknowingly expose sensitive content to external providers or assume voice memo content is handled locally and ephemerally when it is being transmitted and processed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits the full user-provided message text to ElevenLabs, a third-party service, without any explicit user notice, consent gate, or privacy warning. In a messaging/voice-memo skill, users may assume processing is local, so sensitive or personal content could be unintentionally disclosed to an external provider.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Generate TTS (ElevenLabs)
curl -X POST "https://api.elevenlabs.io/v1/text-to-speech/{voice_id}" \
  -d '{"text": "...", "model_id": "eleven_turbo_v2_5"}'

# 2. Convert to Opus CAF @ 24kHz (REQUIRED format for iMessage)
Confidence
88% confidence
Finding
curl -X POST "https://api.elevenlabs.io/v1/text-to-speech/{voice_id}" \ -d '{"text": "...", "model_id": "eleven_turbo_v2_5"}' # 2. Convert to Opus CAF @ 24kHz (REQUIRED format for iMessage) afconve

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Generate TTS (ElevenLabs)
curl -X POST "https://api.elevenlabs.io/v1/text-to-speech/{voice_id}" \
  -d '{"text": "...", "model_id": "eleven_turbo_v2_5"}'

# 2. Convert to Opus CAF @ 24kHz (REQUIRED format for iMessage)
Confidence
88% confidence
Finding
https://api.elevenlabs.io/

External Transmission

Medium
Category
Data Exfiltration
Content
# Escape text for JSON
TEXT_ESCAPED=$(echo "$TEXT" | sed 's/"/\\"/g' | sed "s/'/\\'/g")

curl -X POST "https://api.elevenlabs.io/v1/text-to-speech/$VOICE_ID" \
    -H "xi-api-key: $ELEVENLABS_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
Confidence
92% confidence
Finding
curl -X POST "https://api.elevenlabs.io/v1/text-to-speech/$VOICE_ID" \ -H "xi-api-key: $ELEVENLABS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Escape text for JSON
TEXT_ESCAPED=$(echo "$TEXT" | sed 's/"/\\"/g' | sed "s/'/\\'/g")

curl -X POST "https://api.elevenlabs.io/v1/text-to-speech/$VOICE_ID" \
    -H "xi-api-key: $ELEVENLABS_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{
Confidence
92% confidence
Finding
https://api.elevenlabs.io/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal