Is elevenlabs-tts safe?

https://clawhub.ai/Shaharsha/elevenlabs-tts

82
SAFE

The elevenlabs-tts skill is a legitimate ElevenLabs Text-to-Speech integration for OpenClaw. It contains no executable code, no install hooks, and exhibited clean behavior during monitoring with no network activity or canary file tampering. The primary risk surface is the broad tool permissions (exec, tts, message) which are justified for the TTS-to-WhatsApp workflow but grant significant capabilities that could be abused if the skill were modified maliciously.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (9)

MEDIUM Sensitive file reads during runtime initialization -15

Filesystem monitoring detected reads of .env, .aws/credentials, openclaw.json, auth-profiles.json, .profile, and .bashrc during the OpenClaw runtime boot sequence. While these reads are from the platform runtime (not the skill itself), the skill's exec tool access could theoretically be abused to read these same files.

LOW Hidden Unicode character in instruction template -5

The skill includes a Unicode Left-to-Right Mark (U+200E) in the WhatsApp voice message sending example. While documented as a WhatsApp requirement for sending voice notes with empty-looking message bodies, hidden Unicode characters in skill instructions are a known prompt injection technique. In this case the usage appears legitimate.

LOW Broad tool permissions requested -10

The skill requests exec, tts, and message tools. The exec tool grants shell command execution capability and the message tool allows sending messages to arbitrary recipients. While both are justified for the TTS-to-WhatsApp workflow, these are powerful permissions.

LOW Shell command patterns in skill instructions -10

The skill instructs the agent to execute ffmpeg commands and use shell features like cat heredocs for file concatenation. These are standard audio processing patterns but represent shell execution surface area.

INFO No executable code in skill package 0

The skill contains only markdown documentation files (SKILL.md, references/audio-tags.md) and metadata JSON files. No executable code, no package.json, no install hooks.

INFO Clean installation with no anomalous behavior 0

The skill installed without triggering any network connections, process spawning, or filesystem changes outside expected directories. All monitoring signals are clean.

MEDIUM Message tool enables arbitrary recipient targeting -20

The skill demonstrates sending WhatsApp messages to phone numbers specified by the user. While this is core functionality, the message tool combined with exec access could be exploited to send unsolicited messages or exfiltrate data through messaging channels if the skill instructions were modified.

INFO API key handling follows standard patterns 0

The skill instructs users to store their ElevenLabs API key in the standard openclaw.json configuration file and reference it via the ELEVENLABS_API_KEY environment variable. No instructions to send keys to third-party endpoints.

LOW API calls to external service -10

The skill directs API calls to api.elevenlabs.io for voice synthesis. This is the legitimate ElevenLabs endpoint and is expected for TTS functionality, but it means audio content and text are sent to an external service.