ClawHub

Miranda ElevenLabs Speech (TTS/STT)

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward ElevenLabs text-to-speech and speech-to-text helper, but users should understand that chosen text or audio is sent to ElevenLabs and generated audio can be written to local paths.

Install only if you are comfortable using an ElevenLabs API key and sending selected text or audio recordings to ElevenLabs for processing. Avoid secrets or sensitive conversations unless you have consent and appropriate approvals, monitor API quota or costs, and choose output paths carefully because generated audio is written wherever the command is told to save it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill promotes TTS/STT through ElevenLabs but does not warn that user text and audio will be sent to a third-party provider for processing. This can lead to accidental disclosure of sensitive content, especially for voice messages or transcripts that may contain personal, confidential, or regulated data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Telegram workflow examples normalize sending user voice messages to ElevenLabs for transcription and writing generated audio files locally, but they omit any warning about third-party processing or local artifact creation. In chat-agent contexts this is more dangerous because users may assume voice messages stay within the platform, while the skill actually exports them and leaves local files behind.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code uploads the full audio file to ElevenLabs' external API for transcription, but there is no user-facing disclosure, consent check, or indication that potentially sensitive voice content leaves the local environment. In a voice-processing skill, this behavior is expected functionally, but it still creates a real privacy and data-handling risk if users assume transcription is local or are unaware of third-party processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function transmits user-supplied text to ElevenLabs over the network, but the code provides no explicit disclosure, consent flow, or sensitivity check before sending potentially private content to a third party. In a voice-processing skill this behavior is expected, but it is still privacy-relevant because users may input secrets, personal data, or regulated content.

External Transmission

Medium
Category
Data Exfiltration
Content
}
        
        try:
            response = requests.post(url, headers=headers, json=payload, timeout=60)
            response.raise_for_status()
            
            # Save audio file
Confidence
95% confidence
Finding
requests.post(url, headers=headers, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal