Audio Gen 1.0.0
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with audio generation, but its workflow embeds generated user text directly into a shell command, which could allow unintended command execution if mishandled.
Review this skill before installing. It appears intended for audio generation, but its command template should be made safer before use with arbitrary generated scripts. Also verify the external sag helper and use limited API keys because the workflow depends on Anthropic and ElevenLabs credentials.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted request could potentially cause the agent to run local shell commands instead of only sending text to the TTS script.
The skill tells the agent to place the generated script text directly into a bash command. Since that text can be influenced by the user's topic or requested content, quotes, substitutions, or other shell metacharacters could be interpreted unless safely escaped or passed out-of-band.
uv run /home/clawdbot/clawdbot/skills/sag/scripts/tts.py ... -m eleven_multilingual_v2 "[formatted_script]"
Pass script text through a safe file, stdin, or an exec API with an argument array rather than interpolating it into a shell string; also sanitize the output filename slug and keep the explicit user approval step.
The security and behavior of audio generation depend partly on another installed skill and its TTS script.
The skill depends on an external sag skill/helper script that is not included in the provided file manifest. This is disclosed and purpose-aligned, but the helper's code and provenance are outside this review.
"requires":{"skills":["sag"] ... uv run /home/clawdbot/clawdbot/skills/sag/scripts/tts.pyVerify the sag dependency source, version, and permissions before relying on this skill, especially because it will handle an ElevenLabs API key.
Installing or using the skill may consume paid API quota and grants the helper access to the configured provider credentials.
The skill requires provider API keys. That is expected for AI script generation and ElevenLabs text-to-speech, and the artifacts do not show hardcoded secrets, logging, or unrelated credential use.
"env":["ANTHROPIC_API_KEY","ELEVENLABS_API_KEY"] ... "ELEVENLABS_API_KEY" environment variable is already configured
Use restricted API keys where possible, monitor usage and billing, and avoid providing credentials you do not want this audio workflow to use.