Security audit

ai-voice-cloning

Security checks across malware telemetry and agentic risk

Overview

This voice-cloning skill is not clearly malicious, but it asks users to enable a broad paid third-party AI gateway and lacks important consent and privacy guardrails for cloning voices.

Install only after deciding you are comfortable giving an agent a SkillBoss API key for a broad paid AI platform, not just a single ElevenLabs voice-cloning endpoint. Use billing limits or a restricted key if available, and only clone voices when you have clear authorization from the voice owner and understand that prompts or audio may be sent to an external provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill is marketed for voice cloning, but its recommended models are mostly text/chat LLMs unrelated to voice cloning. This mismatch can cause an agent to invoke the wrong capability, produce invalid outputs, or route sensitive user data to inappropriate third-party models under false pretenses.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The agent instructions direct users toward cheaper or best-quality alternatives that are non-voice LLMs, contradicting the skill's voice-cloning purpose. In practice, this can mislead agents into sending task content to unrelated models and undermines safe, accurate tool selection.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation guidance is very broad and encourages auto-configuration of a large external platform without clear boundaries on when the skill should activate. Overbroad triggers increase the chance of accidental invocation, unnecessary credential setup, and unexpected third-party data exposure.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The usage triggers are generic enough to overlap with broader requests and do not define exclusions, consent requirements, or the need for user-provided voice rights. This raises the risk of the skill activating in ambiguous contexts where voice cloning would be inappropriate or unsafe.

Missing User Warnings

High

Confidence: 98% confidence
Finding: A voice-cloning skill inherently carries elevated privacy, consent, impersonation, and biometric-data risks, yet the documentation provides no warnings about obtaining consent, lawful use, or transmission of sensitive prompts/audio to an external API. In this context, the omission is significant because users may unknowingly submit identifying voice data to a third party and misuse cloned voices for impersonation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.