ClawHub

ElevenReader

Security checks across malware telemetry and agentic risk

Overview

This ElevenReader skill appears to provide the expected text-to-speech connector behavior, with some privacy and install-process caveats users should understand.

Install this if you are comfortable sending text you ask it to read to ElevenLabs and having the resulting audio placed in connector transit storage. Review the oo CLI installer source or use an official package/install guide before running the curl-to-bash command, especially on systems with sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The description says to use this skill for "ANY ElevenReader request" and "Whenever a task involves ElevenReader," which is a very broad activation condition. It does not define boundaries, exclusions, or concrete trigger phrases, so ordinary references to ElevenReader could match unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This markdown file states that input text will be converted to speech and the generated audio will be uploaded to connector transit storage. That behavior can affect user data and privacy, but the description provides no warning, caution, or disclosure about the upload/storage side effect.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
90% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal