Dub YouTube with Voice.ai
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned for generating Voice.ai voiceovers, but users should notice that it uses a Voice.ai API key, sends script text to Voice.ai, and may run local ffmpeg media-processing commands.
This looks coherent for a Voice.ai YouTube dubbing workflow. Before installing, confirm you trust the publisher and the bundled Node script, understand that real runs send your script text and API key to Voice.ai, and use mock mode or non-sensitive content for testing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used with a real key, the skill can consume Voice.ai API access for voice generation.
The skill requires a provider API key to call Voice.ai. This is expected for the stated TTS purpose, but users should know the credential grants access to their Voice.ai account or credits.
**VOICE_AI_API_KEY** — set as environment variable
Use a dedicated Voice.ai API key if possible, keep it out of shared logs, and revoke or rotate it if you no longer trust the skill.
Unpublished scripts, client content, or sensitive narration text may be sent to Voice.ai when not using mock mode.
The artifact clearly discloses that script text is transmitted to the Voice.ai provider while video processing remains local.
Only script text is sent to Voice.ai for TTS. Your video files never leave your machine.
Do not process confidential scripts unless sending that text to Voice.ai is acceptable; use `--mock` for local testing without API calls.
The skill may invoke local media tools such as ffmpeg on files and paths supplied in the command.
The static scan reports local command execution, and the docs explain that ffmpeg is used for stitching, encoding, normalization, and video dubbing. This is purpose-aligned, but it is still a local execution capability.
Static scan: Shell command execution detected (child_process)
Run it only with trusted input paths, review generated output before publishing, and ensure ffmpeg is installed from a trusted source.
Users have less provenance information and may not see the credential requirement from registry metadata alone.
The registry metadata lacks source/homepage provenance and does not reflect the API key requirement that is documented inside SKILL.md and the YAML file.
Source: unknown; Homepage: none; Required env vars: none
Review the bundled script and documentation before use, and prefer installing from a publisher/source you trust.