ClawHub
Back to skill

Security audit

elevenlabs-tts

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward ElevenLabs text-to-speech skill, with the main caveat that text is sent to ElevenLabs for processing.

Install only if you are comfortable using an ElevenLabs API key and sending the text you convert to ElevenLabs. Avoid secrets, confidential documents, personal data, or regulated content unless you have approval for that external processing and understand the provider's retention, quota, and billing terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to send arbitrary text to a third-party TTS service but does not clearly warn that the text leaves the local environment and is transmitted to ElevenLabs. This creates a real privacy risk because users may unknowingly submit sensitive, confidential, or regulated data to an external processor.

External Transmission

Medium
Category
Data Exfiltration
Content
}
    }

    response = requests.post(url, json=data, headers=headers)

    if response.status_code == 200:
        with open(output_path, "wb") as f:
Confidence
93% confidence
Finding
requests.post(url, json=

External Transmission

Medium
Category
Data Exfiltration
Content
### Text-to-Speech
```
POST https://api.elevenlabs.io/v1/text-to-speech/{voice_id}
```

**Request Body:**
Confidence
88% confidence
Finding
https://api.elevenlabs.io/

External Transmission

Medium
Category
Data Exfiltration
Content
VOICE_ID = "21m00Tcm4TlvDq8ikWAM"  # Rachel

def text_to_speech(text, output_path):
    url = f"https://api.elevenlabs.io/v1/text-to-speech/{VOICE_ID}"

    headers = {
        "xi-api-key": ELEVENLABS_API_KEY,
Confidence
92% confidence
Finding
https://api.elevenlabs.io/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal