ClawHub

Sound FX

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends a user-provided sound prompt to ElevenLabs and saves the returned audio file.

Install only if you are comfortable sending sound-effect prompts to ElevenLabs and using your ElevenLabs API key for requests that may affect quota or billing. Avoid putting secrets or confidential details in prompts, and choose output paths carefully because the script writes directly to the path you provide.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises shell and environment-variable based capabilities but does not declare permissions, which weakens transparency and policy enforcement. In practice this can let a user or host system invoke the skill without realizing it can access API keys and execute commands, increasing the chance of unintended credential use or command execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to supply API credentials and send prompts to ElevenLabs, but it does not warn that user-provided text will be transmitted to a third-party service. This is dangerous because users may include sensitive or proprietary content in prompts without informed consent, causing unintended external disclosure.

External Transmission

Medium
Category
Data Exfiltration
Content
```

**Notes**
- Uses `POST https://api.elevenlabs.io/v1/sound-generation`
- Supports optional `--duration` (0.5–30s). When omitted, duration is auto.
- Prints `MEDIA: <path>` on success for auto-attach.
Confidence
88% confidence
Finding
https://api.elevenlabs.io/

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal