Is hongkongkiwi/elevenlabs-cli safe?

https://github.com/openclaw/skills/tree/main/skills/hongkongkiwi/elevenlabs-cli

93
SAFE

The hongkongkiwi/elevenlabs-cli skill is a documentation-only package containing no executable code, no install hooks, and no prompt injection directives. All canary files remained intact throughout the audit, and no sensitive data was exfiltrated during the clone and install process. The primary risk profile is behavioral: the skill equips an AI agent with knowledge of voice cloning, audio transcription, and document ingestion capabilities that are dual-use, and all processed content is transmitted to the third-party ElevenLabs API by design and with transparent disclosure.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (6)

MEDIUM Third-party API data disclosure by design -12

The skill explicitly documents that the user's ELEVENLABS_API_KEY and all text/audio content processed through the CLI is transmitted to api.elevenlabs.io. While this is transparently disclosed in the Trust Statement, users must trust ElevenLabs' data handling practices and retention policies. The skill author has no control over server-side data handling.

MEDIUM Voice cloning and audio transcription are dual-use capabilities -15

The CLI documented by this skill includes voice cloning from audio samples and speech-to-text transcription with speaker diarization. An AI agent equipped with this skill and file-system access tools could transcribe private recordings or clone voices from local audio files without explicit per-action user consent.

LOW Community-maintained unofficial CLI — upstream binary provenance not audited -10

The skill clearly labels itself as an unofficial, community-maintained CLI not endorsed by ElevenLabs. The actual elevenlabs-cli binary installed via Homebrew, Cargo, or other package managers is outside the scope of this skill audit. A compromised upstream binary would not be detectable from this skill's SKILL.md content.

LOW Knowledge base RAG endpoint enables document ingestion to third-party account -5

The knowledge base commands (add-from-url, add-from-file) transmit document content to the user's ElevenLabs account for RAG purposes. If an attacker controls an ElevenLabs account and tricks a user into using their API key, local documents could be ingested and accessible remotely.

INFO Post-install gateway connections to AWS/Cloudflare endpoints -8

After skill installation, the openclaw-gatewa process established connections to 3.213.170.18:443 (AWS EC2) and 104.16.10.34:443 (Cloudflare). These are attributable to the OpenClaw execution infrastructure, not the skill. Process ancestry confirms the connections originate from pid=1088 (openclaw-gatewa) which predates the skill install.

INFO External GitHub URL referenced for package downloads -5

SKILL.md references https://github.com/hongkongkiwi/elevenlabs-cli/* for package downloads. This is benign documentation, but if a compromised GitHub repository replaced the CLI with malicious code, users following install instructions from the skill would be affected. The skill itself does not instruct the agent to fetch from this URL.