ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Elevenlabs Toolkit

v1.0.2

ElevenLabs voice API integration — TTS, sound effects, music generation, speech-to-text, voice isolation, and streaming. Use when building voice-enabled apps...

0· 519·5 current·6 all-time
byNissan Dookeran@nissan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (ElevenLabs TTS, STT, SFX, music, streaming, voice isolation) align with the code and SKILL.md: the code proxies to api.elevenlabs.io endpoints for voices, text-to-speech, sound generation, speech-to-text, isolation, and streaming. ELEVENLABS_API_KEY is declared and used as the primary credential.
Instruction Scope
SKILL.md and the included Python implement only the declared ElevenLabs features and expose FastAPI endpoints for them. However, the code also implements a conversational 'story concierge' that calls a third-party Mistral client if MISTRAL_API_KEY is present — this behavior is not declared in requires.env and broadens the runtime scope. SKILL.md's metadata mentions base64 usage but the implementation returns raw bytes (minor inconsistency).
!
Install Mechanism
There is no install spec, yet the included code depends on multiple Python packages (fastapi, starlette, httpx, websockets, mistralai, etc.). Without a declared install step, an environment running this skill may lack required dependencies or the operator may need to install them manually; that absence is an operational and supply-chain mismatch (not necessarily malicious but worth noting).
!
Credentials
ELEVENLABS_API_KEY is appropriate and declared as primary. The code optionally reads MISTRAL_API_KEY and imports a 'mistralai' client to call another service, but MISTRAL_API_KEY is not listed in requires.env. Requesting or using additional service credentials without declaration is a proportionality/information-gap concern.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no declared persistent/system-level privileges. It performs outbound network calls to ElevenLabs (expected for the stated purpose).
What to consider before installing
This skill appears to implement the ElevenLabs features it advertises, but you should be cautious before installing or running it: 1) The package includes Python code that requires additional libraries (fastapi, httpx, websockets, mistralai, etc.) but provides no install instructions — ask the author for a requirements file or installation spec or prepare to install dependencies yourself. 2) The code can optionally call Mistral if MISTRAL_API_KEY is present, but that env var is not declared; if you do not want it to call Mistral, ensure MISTRAL_API_KEY is not set in your environment. 3) The skill needs outbound network access and your ELEVENLABS_API_KEY; never share that key with untrusted code. 4) Confirm expected behavior (for streaming, STT uploads, and conversational features) in a safe environment before using in production. If you need higher assurance, request the author to: (a) declare all required env vars (including optional ones), (b) provide a requirements.txt or install spec that uses trusted package sources, and (c) document exactly when additional services (like Mistral) will be invoked.

Like a lobster shell, security has layers — review code before you run it.

latestvk977b5h70f0v023hzz9z8g8pb183r220

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
EnvELEVENLABS_API_KEY
Primary envELEVENLABS_API_KEY

Comments