Elevenlabs Tts

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward ElevenLabs text-to-speech skill that sends chosen text to ElevenLabs and saves the returned audio file.

Install only if you are comfortable sending the text you synthesize to ElevenLabs. Keep ELEVENLABS_API_KEY in the environment, avoid placing it in files or logs, and do not use confidential or regulated text as input unless your ElevenLabs account and data-handling requirements allow it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill explicitly instructs use of an environment-secret API key and external ElevenLabs network calls, but the metadata shown does not declare corresponding permissions. That mismatch is dangerous because it undermines least-privilege review and can cause agents to grant undeclared access to secrets and outbound networking without clear user visibility.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The script transmits arbitrary user-supplied text to a third-party service for synthesis without any explicit inline warning or consent mechanism. In contexts where users may pass sensitive prompts, secrets, or personal data, this can create a privacy and data-governance risk because the text leaves the local environment and is processed externally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal