Is abhishek-official1/clawvox safe?
https://github.com/openclaw/skills/tree/main/skills/abhishek-official1/clawvox
ClawVox is a legitimate ElevenLabs API wrapper for the OpenClaw agent platform, submitted as part of a hackathon. No prompt injection, hidden instructions, malicious code, or active credential exfiltration was detected during installation. The primary risks are architectural rather than adversarial: file-handling scripts accept arbitrary filesystem paths without type validation (enabling inadvertent sensitive-file upload to ElevenLabs), biometric voice data is sent to a third-party service without explicit user disclosure, and the voice cloning feature creates a dual-use attack surface that could be abused via prompt injection by a separately compromised agent.
Category Scores
Findings (7)
MEDIUM Unrestricted file-path injection across all file-handling scripts -20 ▶
transcribe.sh, clone.sh, isolate.sh, dub.sh, and speak.sh --input accept arbitrary filesystem paths without validating that the target is an audio or text file of expected type. Any agent manipulation that points these commands at sensitive files (e.g., ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials) will cause their raw contents to be uploaded to api.elevenlabs.io. ElevenLabs will return an error, but the HTTP POST body — containing the file — will already have left the host.
MEDIUM Biometric voice data transmitted to third-party ElevenLabs servers -12 ▶
clone.sh sends audio samples directly to api.elevenlabs.io/v1/voices/add. Voice audio is biometric data. SKILL.md does not warn users that voice recordings will be stored on ElevenLabs infrastructure, nor does it describe ElevenLabs data retention policies. Users enabling this skill implicitly consent to voice data leaving their environment.
MEDIUM Voice cloning capability creates deepfake and fraud attack surface -25 ▶
The skill provides a fully functional voice cloning pipeline requiring only a 30-second audio sample. If an attacker can inject a task (e.g., via a document the agent reads) instructing it to clone a specific person's voice, the cloned voice ID is stored in the user's ElevenLabs account and can be used for subsequent TTS generation. This enables voice deepfakes under the user's API key with no additional confirmation step.
LOW speak.sh --input enables silent text-file exfiltration via TTS synthesis -11 ▶
An agent can be directed to synthesize speech from any text file. The content of ~/.env, ~/.ssh/config, or any plaintext secret file would be embedded in a JSON POST body and transmitted to ElevenLabs for synthesis. The resulting audio would be saved to ~/.openclaw/audio/ and the raw file contents would reside in ElevenLabs logs.
LOW bin/elevenlabs.md is a bash script with a Markdown file extension -10 ▶
The file bin/elevenlabs.md contains a complete bash dispatcher script (#!/bin/bash, set -euo pipefail, case statement routing to scripts/) but carries a .md extension. This is misleading — security scanners and human reviewers focusing on markdown files will miss this executable logic. The script itself is benign, but the naming obfuscation is a weak code hygiene concern.
INFO Installation connects to GitHub to clone openclaw/skills monorepo 0 ▶
The Oathe installer performed a sparse git clone of https://github.com/openclaw/skills.git targeting only skills/abhishek-official1/clawvox. The single outbound TLS connection (140.82.121.4:443) is consistent with legitimate GitHub access. No other external hosts were contacted during installation.
INFO Canary file read events attributed to Oathe audit infrastructure, not the skill 0 ▶
inotifywait events at 04:41:32 show read-only access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials. These accesses precede the skill installation by ~5 seconds (git clone starts at 04:41:37) and are consistent with the Oathe framework initializing canary baseline hashes. The skill contains no install hooks capable of triggering these accesses. Oathe canary integrity check confirms no exfiltration.