Announcer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: announcer Version: 1.2.3 The skill bundle is benign. The `scripts/announce.py` script demonstrates good security practices by explicitly sanitizing user-provided speaker names before embedding them into AppleScript commands, preventing AppleScript injection. All `subprocess.run` calls use argument lists rather than shell strings, and inputs to commands like `ffmpeg` and `afplay` are either static asset paths or securely generated temporary file paths. There is no evidence of data exfiltration, persistence mechanisms, or prompt injection attempts in `SKILL.md` or `SETUP.md`. The skill's functionality aligns with its stated purpose of playing TTS announcements via AirPlay.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill can make audible announcements over configured speakers and may interrupt existing playback.
The script controls Airfoil speakers and speaker volume via AppleScript, which is exactly how the announced functionality works.
tell application "Airfoil" ... connect to s ... set (volume of s) to {volume}Configure the speaker list and exclusions carefully, and use the skill only for announcements you are comfortable broadcasting in the home.
Announcements may consume ElevenLabs quota and use the account associated with the API key.
The skill requires an ElevenLabs credential for its intended TTS function; the artifacts do not show hardcoding, logging, or unrelated credential use.
ElevenLabs API key — Required for TTS generation ... Set environment variable: `ELEVENLABS_API_KEY`
Use an API key intended for this purpose, keep it private, and monitor ElevenLabs usage.
The behavior also depends on the installed ElevenLabs skill, so its safety and version affect this skill.
The script calls a sibling ElevenLabs skill that is not included in this artifact set; this dependency is disclosed in setup documentation and is purpose-aligned.
ELEVENLABS_SPEECH = SKILL_DIR.parent / "elevenlabs" / "scripts" / "speech.py"
Install the expected ElevenLabs skill from a trusted source and review or pin it if possible.
Text you ask it to announce may be sent to ElevenLabs for speech generation.
The announcement text is used with the ElevenLabs TTS service, which is expected for this skill but means message content may leave the local machine.
Generate speech via ElevenLabs
Avoid using the skill for secrets or highly sensitive announcements unless you are comfortable with ElevenLabs handling that text.