Sound FX
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: sound-fx Version: 0.1.1 The skill bundle is benign. It generates sound effects using the ElevenLabs API as described. The `scripts/generate_sfx.sh` script securely retrieves the API key from environment variables, constructs a standard JSON payload, and makes a legitimate POST request to `https://api.elevenlabs.io/v1/sound-generation`. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts in `SKILL.md`, or obfuscation. All actions are clearly aligned with the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated sound requests can consume the user's ElevenLabs account quota or billing allowance.
The script reads an ElevenLabs API key from the environment and uses it to authenticate to the ElevenLabs API. This is expected for the stated integration, but it gives the skill access to the user's ElevenLabs account/API quota.
API_KEY="${ELEVENLABS_API_KEY:-${XI_API_KEY:-}}" ... -H "xi-api-key: ${API_KEY}"Use a dedicated ElevenLabs key if possible, keep it out of shared files, and remove it from the environment or config when no longer needed.
Any sensitive text included in the sound prompt could be sent to ElevenLabs.
The skill discloses that it sends the sound-effect prompt to the external ElevenLabs service. This is purpose-aligned, but it means prompt text leaves the local environment.
Uses `POST https://api.elevenlabs.io/v1/sound-generation`
Avoid placing secrets, private names, or confidential business details in prompts unless that is acceptable under your ElevenLabs data-use policy.
If directed to an important existing file path, the script could overwrite a user-writable file with the generated audio or an error response.
The script saves the API response to a caller-supplied output path and marks it as media for attachment. This is expected for an audio-generation skill, but users should choose a safe output path.
curl -sS -o "$OUT" ... echo "MEDIA: $OUT"
Write outputs to a temporary or project media directory, and avoid protected or important existing file paths.
Installation or first use may fail until the needed local tools and API key are available, and users may not see those requirements from metadata alone.
The registry metadata under-declares setup needs: the documentation and script use an ElevenLabs API key and local tools such as bash, curl, and python3, with optional ffmpeg conversion. The included code is visible and no remote installer is shown.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Before use, confirm curl, python3, and any desired ffmpeg conversion support are installed, and configure the ElevenLabs API key deliberately.