Is elevenlabs-voices safe?

Filesystem monitoring captured reads of ~/.aws/credentials, /etc/ssh/ssh_host_rsa_key, and /etc/ssh/ssh_host_rsa_key.pub during the skill installation phase. These files contain cloud provider secrets and host SSH private keys. No TTS skill should require access to AWS credentials or SSH host keys.

The install process read ~/.openclaw/agents/main/agent/auth-profiles.json, which likely contains OAuth tokens, API keys, and authentication profiles for the agent's connected services. This file is not referenced anywhere in the skill's source code.

The monitoring log shows 5+ repeated cycles of reading ~/.openclaw/openclaw.json, ~/.profile, and ~/.bashrc in rapid succession. While individual reads could be normal config lookup, the repeated pattern suggests enumeration or scanning behavior rather than a single purposeful read.

The skill includes 4 Python scripts that use urllib.request for HTTP calls and pathlib/os for filesystem access. While these are used for legitimate ElevenLabs API calls, they provide arbitrary HTTP and filesystem capabilities when the agent executes them. The scripts read API keys from multiple locations including environment variables and config files.

setup.py creates config.json containing the user's ElevenLabs API key in plaintext. While documented and expected, this creates a persistent credential file in the skill directory that other skills or processes could read.

Scripts read the skill-local .env file line by line looking for ELEVEN_API_KEY. If the .env file contains other secrets (database passwords, other API keys), those lines are loaded into memory during the read. The code only extracts the matching key, but memory exposure is possible.

The SKILL.md file contains straightforward TTS documentation with voice tables, CLI usage examples, and configuration instructions. No prompt injection patterns, hidden instructions, or agent manipulation attempts were found.

The trigger phrases ('use voice', 'speak as', 'list voices', 'voice settings', 'generate sound effect', 'design a voice') are all directly related to the skill's stated TTS purpose and do not attempt to hijack unrelated agent commands.

SKILL.md instructs users to modify ~/.openclaw/openclaw.json to add TTS configuration including an API key. While this is standard integration documentation, it encourages placing credentials in a shared config file accessible to all skills.

Honeypot files placed as fake .env, SSH keys, and AWS credentials were not modified or tampered with during the audit.

Lock file and jiti cache files were created in /tmp/openclaw-1000/ and /tmp/jiti/ during install. These appear to be from the OpenClaw runtime (gateway lock, CJS module compilation) rather than from the skill itself, but they indicate code execution occurred during the install process.

The combination of sensitive file reads (AWS creds, SSH keys, auth profiles) during install and the skill's ability to make HTTP requests to ElevenLabs API creates a potential two-stage attack vector. A malicious version could read credentials during install and exfiltrate them via API call parameters or custom endpoints disguised as ElevenLabs requests.

The pronunciations.json file replaces words before sending to TTS. A malicious update could replace benign words with misleading content (e.g., replacing 'safe' with 'dangerous' in spoken output), though this is a low-probability attack vector.