Sound FX
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is purpose-aligned and transparent: it uses an ElevenLabs API key to turn a text prompt into an audio file, with only minor setup and data-sharing notes.
This appears safe for its stated purpose. Before installing, be aware that your prompt text is sent to ElevenLabs, your API key may be used for billable requests, and the output file path should be chosen carefully.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated sound requests can consume the user's ElevenLabs account quota or billing allowance.
The script reads an ElevenLabs API key from the environment and uses it to authenticate to the ElevenLabs API. This is expected for the stated integration, but it gives the skill access to the user's ElevenLabs account/API quota.
API_KEY="${ELEVENLABS_API_KEY:-${XI_API_KEY:-}}" ... -H "xi-api-key: ${API_KEY}"Use a dedicated ElevenLabs key if possible, keep it out of shared files, and remove it from the environment or config when no longer needed.
Any sensitive text included in the sound prompt could be sent to ElevenLabs.
The skill discloses that it sends the sound-effect prompt to the external ElevenLabs service. This is purpose-aligned, but it means prompt text leaves the local environment.
Uses `POST https://api.elevenlabs.io/v1/sound-generation`
Avoid placing secrets, private names, or confidential business details in prompts unless that is acceptable under your ElevenLabs data-use policy.
If directed to an important existing file path, the script could overwrite a user-writable file with the generated audio or an error response.
The script saves the API response to a caller-supplied output path and marks it as media for attachment. This is expected for an audio-generation skill, but users should choose a safe output path.
curl -sS -o "$OUT" ... echo "MEDIA: $OUT"
Write outputs to a temporary or project media directory, and avoid protected or important existing file paths.
Installation or first use may fail until the needed local tools and API key are available, and users may not see those requirements from metadata alone.
The registry metadata under-declares setup needs: the documentation and script use an ElevenLabs API key and local tools such as bash, curl, and python3, with optional ffmpeg conversion. The included code is visible and no remote installer is shown.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Before use, confirm curl, python3, and any desired ffmpeg conversion support are installed, and configure the ElevenLabs API key deliberately.