elevenlabs

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward ElevenLabs-over-RunAPI skill, with the main consideration that requests go to a cloud provider using RunAPI credentials.

Install only if you intend to use RunAPI and ElevenLabs for cloud audio tasks. Review request files before running the CLI, avoid sending secrets or regulated personal/business data unless approved, and treat RUNAPI_API_KEY or saved runapi login state like sensitive credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill directs users to authenticate with RunAPI and send text or audio to an external provider, but it does not explicitly warn that prompts, transcripts, and media may leave the local environment or that API credentials are being used. In an agent setting, this can cause unintended disclosure of sensitive data if a user or downstream system assumes processing is local or does not understand that third-party transmission occurs.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal