Voice.ai: Creator Voiceover Forge
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Voice.ai voiceover tool, but it uses a Voice.ai API key, sends selected script text to Voice.ai, and runs ffmpeg locally for media processing.
Before installing, confirm you trust the bundled CLI, use a revocable Voice.ai API key, avoid sending confidential scripts unless Voice.ai processing is acceptable, and install ffmpeg only from a trusted source.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with a real key, the tool can make Voice.ai API requests under the user's account.
The code reads a Voice.ai API key from the environment, which is expected for a Voice.ai TTS integration but gives the skill access to use the user's Voice.ai account or credits.
return process.env.VOICE_AI_API_KEY ?? process.env.VOICEAI_API_KEY;
Use a dedicated/revocable Voice.ai API key, avoid storing unrelated secrets in the same .env file, and use --mock for testing.
The script text you choose to convert may leave your device and be processed by Voice.ai.
The skill discloses that user script text is sent to the external Voice.ai service; this is purpose-aligned but can matter if scripts contain private or unpublished content.
Privacy: Video processing is entirely local. Only script text is sent to Voice.ai for TTS.
Do not send confidential scripts unless you are comfortable with Voice.ai processing them; use --mock when testing locally.
The tool may run a local ffmpeg binary to process audio and video files you provide.
The skill intentionally invokes local ffmpeg functionality for media processing. This is disclosed and aligned with the voiceover/video purpose.
ffmpeg (optional) — needed for master stitching, MP3 encoding, loudness normalization, and video muxing.
Install ffmpeg from a trusted source and review output paths before running muxing or replacement commands.
It may be harder to independently verify the origin of the bundled CLI before running it.
The registry does not provide a source or homepage even though the workflow runs a bundled CLI. Source files are included in the artifact set, so this is a provenance note rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Review the included code or obtain the skill from a trusted source before using it with real API keys or private scripts.