Sag
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent ElevenLabs text-to-speech skill, but it requires trusting a Homebrew-installed CLI and using an ElevenLabs API key.
This skill appears benign and purpose-aligned. Before installing, verify the sag Homebrew formula source, use a revocable ElevenLabs API key, and avoid sending confidential text for voice generation unless you are comfortable with ElevenLabs processing it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Voice generation may consume the user's ElevenLabs quota or billing allocation when the skill is invoked.
The skill requires an ElevenLabs credential so the CLI can make TTS requests. This is purpose-aligned and disclosed, but it gives the tool access to use the user's ElevenLabs account.
API key (required) - `ELEVENLABS_API_KEY` (preferred) - `SAG_API_KEY` also supported by the CLI
Use a revocable API key, monitor ElevenLabs usage, and only configure the key in environments where you trust the installed CLI.
Installing the skill requires trusting the referenced Homebrew formula and the binary it provides.
The skill depends on installing the sag binary from an external Homebrew tap. That is coherent for a CLI-based skill, but the supplied artifacts do not include the CLI source.
brew | formula: steipete/tap/sag | creates binaries: sag
Verify the Homebrew tap and homepage before installing, and keep the CLI updated from the expected source.
Text submitted for voice generation may be processed by ElevenLabs, so sensitive content could leave the local machine.
The text-to-speech function necessarily sends text through the ElevenLabs-backed CLI. This external provider use is disclosed and central to the skill's purpose.
Use `sag` for ElevenLabs TTS with local playback.
Avoid using the skill for secrets or confidential text unless the provider's privacy and retention terms are acceptable.