ClawHub

Voice Clone TTS

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only voice cloning and text-to-speech guide whose sensitive behavior is expected and mostly disclosed, though users should treat voice samples and scripts as private data.

Install only if you are comfortable sending chosen voice samples, scripts, and related metadata to the selected TTS provider. Use only voices you own or have explicit consent to clone, avoid impersonation or misleading public content, protect provider API keys and voice IDs, and review each provider's retention and deletion policies before uploading sensitive audio.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill handles sensitive inputs—uploaded voice samples and synthesis text—and explicitly routes them to third-party TTS/cloning providers, but it does not warn users that their data may leave the local environment. This creates a real privacy and consent risk, especially because voiceprints are biometric data and prompts/text may contain confidential or personal information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to send text to third-party TTS and voice-cloning services but does not warn that prompt text, audio samples, and cloned-voice data may leave the local environment and be processed by external vendors. In a voice-cloning skill, this omission is materially important because users may submit sensitive text or biometric voice samples without understanding the privacy, consent, and retention implications.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal