Miranda SAG (ElevenLabs TTS say-UX)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: miranda-sag Version: 1.0.0 The skill bundle is benign. It provides instructions for an AI agent to install and use the 'sag' text-to-speech tool, which integrates with ElevenLabs. The `SKILL.md` file outlines standard usage, including installation via Homebrew and generating temporary audio files in `/tmp` for media replies. All actions, such as requiring an `ELEVENLABS_API_KEY` and executing the `sag` binary, are directly aligned with the stated purpose of providing text-to-speech functionality. There is no evidence of prompt injection, data exfiltration, malicious execution, persistence mechanisms, or other harmful behaviors within the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Voice generation may consume account quota or incur provider usage under the user's ElevenLabs account.
The skill requires an ElevenLabs credential, which is expected for ElevenLabs TTS but gives the CLI access to the user's ElevenLabs account and usage quota.
API key (required) - `ELEVENLABS_API_KEY` (preferred) - `SAG_API_KEY` also supported by the CLI
Use a revocable API key, monitor ElevenLabs usage, and avoid sharing the key beyond the intended environment.
Installing the skill requires trusting the external sag Homebrew package that will run locally and use the configured API key.
The skill's functionality depends on installing an external Homebrew formula rather than code included in the skill artifacts; this is purpose-aligned for a CLI wrapper but makes package provenance important.
brew | formula: steipete/tap/sag | creates binaries: sag
Review the Homebrew formula and upstream project before installing, and keep the CLI updated from a trusted source.
Users may have less clarity about whether the published registry entry exactly matches the original package identity.
The embedded metadata identifies a different owner/slug than the submitted registry entry for Miranda SAG, which is a provenance/name-continuity inconsistency but not evidence of malicious behavior.
"ownerId": "kn70pywhg0fyz996kpa8xj89s57yhv26", "slug": "sag"
Confirm that the registry listing, homepage, and Homebrew formula are the intended project before installing.
Text converted to speech may be sent to the TTS provider, and generated audio may be attached back to the chat when requested.
The skill is explicitly for ElevenLabs TTS, so text provided for speech will be handled through the sag/ElevenLabs provider flow; this is expected but relevant for sensitive content.
Use `sag` for ElevenLabs TTS with local playback.
Do not use the skill for confidential text unless the provider account and data-handling terms are acceptable.