Elevenlabs
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent ElevenLabs helper skill, but it uses an ElevenLabs API key and can upload voice samples for cloning, so those actions deserve user review.
Before installing, make sure you are comfortable giving the skill access to your ElevenLabs API key. Treat voice samples as sensitive biometric data, only clone voices with consent, and install the required local dependencies from trusted sources.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings for this skill version.
- Malicious
- 0
- Suspicious
- 0
- Harmless
- 0
- Undetected
- 66
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key can use the connected ElevenLabs account within the key's permissions, potentially consuming quota or accessing voice/account information.
The skill requires and may persist an ElevenLabs credential, which grants account/API access for generation, quota, voice listing, and voice-management actions.
export ELEVENLABS_API_KEY="your-api-key-here" ... Add to your shell profile ... The state directory can contain: .env file with ELEVENLABS_API_KEY
Use a revocable or least-privileged ElevenLabs key if available, store it securely, and remove it from shell profiles or .env files when no longer needed.
Voice samples can leave the device and a cloned voice may be added to the ElevenLabs account, which has privacy and consent implications.
The voice-cloning tool uploads local audio files to ElevenLabs and creates a new voice in the account. The code includes path, extension, and size checks, making this purpose-aligned but still sensitive.
url = "https://api.elevenlabs.io/v1/voices/add" ... fh = open(path, "rb") ... requests.post(url, headers=headers, files=files_list)
Only clone voices from authorized samples, review the --sample-dir and --files arguments before running, and remove unwanted cloned voices from ElevenLabs.
Installing dependencies trusts the package sources and local package manager configuration.
Setup relies on user-installed external dependencies. This is common for an audio/API helper and is not automatic, but the dependencies are not pinned in the instructions.
brew install ffmpeg ... python3 -m pip install requests
Install dependencies from trusted sources and keep them updated; consider pinning Python package versions in a controlled environment.
The skill may invoke local audio tools for playback or processing when requested.
The skill can run a local audio playback command when the user selects --play. It uses an argument list rather than a shell command and is aligned with audio generation.
if args.play: ... subprocess.run(["afplay", str(output_path)], check=True)
Use playback/splitting options only when desired and ensure local audio binaries such as afplay or ffmpeg come from trusted sources.