ElevenLabs
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: elevenlabs-api Version: 1.0.1 The ElevenLabs skill bundle provides a standard integration for audio processing and text-to-speech via a proxy service (api.maton.ai). The documentation in SKILL.md is transparent about its use of managed authentication via the MATON_API_KEY environment variable and includes safe, functional Python and JavaScript code snippets for interacting with the API. No indicators of data exfiltration, malicious execution, or prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill must trust the agent and Maton API path with account-authorized ElevenLabs operations.
The skill requires a bearer credential that authorizes access to the managed ElevenLabs integration.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Store MATON_API_KEY securely, use only intended ElevenLabs connections, and revoke or rotate the key if it is exposed.
Improper use could create voice clones, generate media, change projects, or delete managed connections in the connected account.
The documentation acknowledges create/update/delete authority and adds an explicit approval requirement, making the authority purpose-aligned but still important.
**All write operations require explicit user approval.** Before executing any create, update, or delete call, confirm the target resource and intended effect with the user.
Confirm every write or delete action, including the target account, resource, and expected effect, before allowing the agent to proceed.
Text, audio, and voice samples provided to the skill may be transmitted to third-party services for processing.
The skill sends request content, including text-to-speech input and possible voice-cloning audio samples, through Maton to ElevenLabs.
Maton proxies requests to `api.elevenlabs.io` ... POST /elevenlabs/v1/text-to-speech/{voice_id} ... files: [audio_sample.mp3]Do not submit confidential text, private recordings, or voice samples unless you are comfortable with Maton and ElevenLabs processing them.
Installers or users may not get a fully consistent registry-level prompt about the credential requirement and provenance.
The registry information indicates an unknown source and an uneven credential declaration, even though the SKILL.md itself documents MATON_API_KEY.
Source: unknown ... Required env vars: MATON_API_KEY ... Env var declarations: none
Verify the publisher/homepage and make sure the platform clearly prompts for MATON_API_KEY before use.