ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Voice Memo

v0.1.2

Send native iMessage voice bubbles with ElevenLabs TTS via BlueBubbles. Use when: user asks to send a voice message, wants something spoken aloud, storytelli...

0· 430·0 current·0 all-time
by@amzzzzzzz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The script implements exactly what the skill describes: it calls ElevenLabs TTS, converts audio with afconvert to Opus CAF, and posts to a BlueBubbles Private API to produce native iMessage voice bubbles. Required binaries (curl, afconvert) and the two service credentials are appropriate for this functionality.
Instruction Scope
SKILL.md and the script confine actions to generating audio, converting it, and sending it to the BlueBubbles endpoint. The script sources ~/.openclaw/.env for credentials and does not attempt to read unrelated system files or exfiltrate arbitrary data. It documents how transcriptions integrate into conversation context and notes that transcriptions are not auto-persisted.
Install Mechanism
No install spec (instruction-only) and a small included shell script. No downloads, archive extraction, or third-party package installs — low install-time risk.
Credentials
The script requires ELEVENLABS_API_KEY and BLUEBUBBLES_PASSWORD (proportionate to the task). However, registry metadata at the top of the submission lists no required env vars while SKILL.md and the script do — an inconsistency. Also note the script blindly sources ~/.openclaw/.env, which may contain additional secrets; ensure that file contains only intended credentials and is protected.
Persistence & Privilege
always:false and no system-wide configuration changes. The skill can be invoked autonomously (platform default), which is expected for skills; it does not request persistent elevated privileges or modify other skills' configs.
Assessment
This skill appears to do what it claims: generate ElevenLabs TTS, convert to Opus CAF, and post to a BlueBubbles Private API to create native iMessage voice bubbles. Before installing: (1) verify the skill's source (homepage is a GitHub repo) and inspect ~/.openclaw/.env to ensure it only contains the expected ELEVENLABS_API_KEY and BLUEBUBBLES_PASSWORD; (2) ensure BLUEBUBBLES_URL points to a trusted local BlueBubbles instance (default is http://127.0.0.1:1234); (3) treat the ElevenLabs API key as billable/privileged — restrict its scope and rotate if shared; (4) be aware that if you set BLUEBUBBLES_URL to a remote endpoint, audio and metadata will be sent there (so only use trusted endpoints); and (5) note the metadata/registry inconsistency (registry omitted required env vars) — this is likely a packaging oversight but worth confirming with the author before granting credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ebx25y17fr1jn6bz4kczwes81x9rg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎙️ Clawdis
Binscurl, afconvert

Comments