ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ElevenLabs Voices

v2.1.6

High-quality voice synthesis with 18 personas, 32 languages, sound effects, batch processing, and voice design using ElevenLabs API.

16· 6k·24 current·25 all-time
byRobby@robbyczgw-cla
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (ElevenLabs TTS/SFX) aligns with the included Python scripts (tts.py, sfx.py, voice-design.py, setup.py) that call ElevenLabs API endpoints. Declared requirement (python3) and declared env var (ELEVEN_API_KEY) are appropriate and necessary for the described functionality.
Instruction Scope
Runtime instructions and scripts operate within the skill directory and call ElevenLabs endpoints for TTS and sound generation, which is expected. The setup wizard and scripts write local files (config.json, .env, .usage.json) and track usage including truncated prompt text — this is functional for cost tracking but stores user-provided prompts locally. Documentation instructs editing ~/.openclaw/openclaw.json for OpenClaw integration, but the scripts do not appear to parse that file (they only read env vars and a skill-local .env), which is a minor inconsistency between docs and code.
Install Mechanism
No install spec is provided (instruction-only skill) and the package contains plain Python scripts. There are no remote downloads or archive extracts in the install metadata. This is low risk from an install-mechanism perspective, but note the skill includes executable scripts that will perform network calls when run.
Credentials
The only secret required is ELEVEN_API_KEY (and an alias ELEVENLABS_API_KEY), which is appropriate for calling the ElevenLabs API. The skill stores the API key locally (config.json/.env) if you run the setup wizard — storing secrets in plaintext is functionally convenient but increases local exposure. The scripts also persist usage records and short prompt excerpts in .usage.json, which may be sensitive depending on your prompts.
Persistence & Privilege
The skill does not request elevated system privileges, does not set always:true, and only writes files within the skill directory (config.json, .usage.json, generated audio). That level of persistence is typical and proportional for a CLI-style TTS tool.
Assessment
This skill appears to do what it says: local Python scripts that call ElevenLabs API for TTS and SFX. Before installing or running: 1) Review the code files (they're included) and confirm you trust them — they will send text to api.elevenlabs.io. 2) Prefer setting your ELEVEN_API_KEY as an environment variable rather than saving it in config.json/.env to reduce plaintext credential storage. 3) Be aware the tool stores usage data and truncated prompt text in .usage.json; don't feed confidential text into the tool if you want it to remain private. 4) Documentation mentions OpenClaw integration paths, but the scripts don't parse ~/.openclaw/openclaw.json — expect configuration via env or skill-local .env/config.json. 5) Source/homepage is missing in the registry metadata; if provenance matters to you, obtain the package from a known repository or vendor (or verify the included code) before granting it access to your API key or running it on sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk976cxnfp5v3ra6fcyvfv8zwns8279yt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments