中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
voice-agent
ElevenLabs voice cloning and TTS generation skill with optional Twilio outbound/inbound call automation
Legitimate ElevenLabs + Twilio voice/TTS skill with documented network behavior and API-based functionality; two minor gaps in capability declaration and dependency management, but no malicious behavior detected.
Skill Namevoice-agent
Duration65.9s
Enginepi
Safe to install
Add shell:WRITE to SKILL.md metadata, pin all pip/apt dependencies with exact versions, and create a requirements.txt file to eliminate supply-chain risk.

Findings 4 items

Severity Finding Location
Medium
Shell execution not declared in capability metadata Priv Escalation
voice_generator.py uses subprocess.run for ffmpeg and ffprobe (line 182, 200), and SKILL.md includes inline bash commands (pip install, apt-get install). These require shell:WRITE capability, but the SKILL.md metadata block does not declare it. While the execution is legitimate for a media-processing tool, the mismatch between declared metadata and actual usage is a doc-to-code violation.
metadata.openclaw.resources: not listing shell:WRITE despite subprocess usage in voice_generator.py
→ Add 'shell:WRITE' to the SKILL.md metadata required_paths section or explicitly document subprocess usage in the shell permissions section.
 SKILL.md:1
Low
Dependencies not pinned to specific versions Supply Chain
SKILL.md instructs 'pip install elevenlabs --break-system-packages' and 'pip install twilio' without version specifiers. No requirements.txt or package.json exists. This creates a supply-chain risk where future malicious or compromised versions of elevenlabs/twilio could be installed.
pip install elevenlabs --break-system-packages
→ Pin versions: pip install elevenlabs==1.0.0 elevenlabs-voice==X.Y.Z. Create a requirements.txt and commit it to the repository.
 SKILL.md:266
Low
Runtime dependency installation without version pinning Supply Chain
The error handling section instructs 'apt-get install -y ffmpeg' and 'pip install requests --break-system-packages' without version constraints. The requests library is installed as a fallback in tts_chunk() (line 143) but is not version-pinned.
apt-get install -y ffmpeg
→ Pin system packages (apt-get install -y ffmpeg=<version>) and add requests==<version> to a requirements.txt.
 SKILL.md:497
Info
Cron schedule documented but not declared as persistence Doc Mismatch
SKILL.md documents cron jobs for daily outbound calls and weekly VSL refresh (lines 557-563). Cron jobs are a persistence mechanism but are not listed as a threat category in findings. They are documented with the skill owner's intent, making this informational rather than a violation.
0 10 * * 1-5   voice-agent → process /workspace/voice/calls/pending/
→ Document that cron is owned by the skill operator (Wesley) and not an external party.
 SKILL.md:557
ResourceDeclaredInferredStatusEvidence
Filesystem READ+WRITE READ+WRITE ✓ Aligned SKILL.md metadata required_paths read/write lists /workspace/voice/* and /worksp…
Network READ READ ✓ Aligned SKILL.md metadata network_behavior declares api.elevenlabs.io and api.twilio.com…
Shell NONE WRITE ✓ Aligned voice_generator.py:182 subprocess.run(ffmpeg), voice_generator.py:201 subprocess…
Environment NONE READ ✓ Aligned get_api_key() reads os.environ.get('ELEVENLABS_API_KEY') — environment access is…
Skill Invoke READ READ ✓ Aligned SKILL.md requires virtual-desktop skill for self-configuration phase
13 findings
🔗
Medium External URL 外部 URL
https://elevenlabs.io
SKILL.md:36
🔗
Medium External URL 外部 URL
https://api.elevenlabs.io
SKILL.md:37
🔗
Medium External URL 外部 URL
https://api.twilio.com
SKILL.md:38
🔗
Medium External URL 外部 URL
https://elevenlabs.io/app/sign-in
SKILL.md:110
🔗
Medium External URL 外部 URL
https://api.elevenlabs.io/v1/user
SKILL.md:270
🔗
Medium External URL 外部 URL
https://api.elevenlabs.io/v1/voices/add
SKILL.md:313
🔗
Medium External URL 外部 URL
https://api.elevenlabs.io/v1/voices
SKILL.md:332
🔗
Medium External URL 外部 URL
https://elevenlabs.io/app/home
SKILL.md:391
🔗
Medium External URL 外部 URL
https://elevenlabs.io/app/settings/api-keys
SKILL.md:423
🔗
Medium External URL 外部 URL
https://elevenlabs.io/app/voice-lab
SKILL.md:448
🔗
Medium External URL 外部 URL
https://api.elevenlabs.io/v1/voices/$VOICE_ID
SKILL.md:479
🔗
Medium External URL 外部 URL
https://api.elevenlabs.io/v1/text-to-speech/
voice_generator.py:118
📧
Info Email 邮箱地址
[email protected]
README.md:31

File Tree

5 files · 42.1 KB · 1320 lines
Markdown 3f · 961L Python 1f · 331L JSON 1f · 28L
├─ 📝 agent_prompt.md Markdown 78L · 2.7 KB
├─ 🔑 config.json JSON 28L · 793 B
├─ 📝 README.md Markdown 104L · 2.7 KB
├─ 📝 SKILL.md Markdown 779L · 24.1 KB
└─ 🐍 voice_generator.py Python 331L · 11.8 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
elevenlabs unpinned pip No No version specifier in SKILL.md pip install command; create requirements.txt
requests unpinned pip No Used as fallback HTTP library in tts_chunk(); no version pin
twilio unpinned pip No Optional dependency for call functionality; not version-pinned
ffmpeg unpinned apt No Runtime install via apt-get; used for audio concatenation

Security Positives

✓ No credential exfiltration — ELEVENLABS_API_KEY is read and used only for ElevenLabs API calls, never transmitted elsewhere
✓ No data exfiltration — generated audio and call transcripts are written to local paths only
✓ No obfuscation — no base64, no eval(), no encoded payloads
✓ No sensitive path access — no reads of ~/.ssh, ~/.aws, .env outside the skill's declared paths
✓ No reverse shell, C2, or remote code execution vectors
✓ API calls are to legitimate, declared endpoints (api.elevenlabs.io, api.twilio.com)
✓ Network behavior is clearly documented in SKILL.md network_behavior section
✓ Subprocess usage is confined to standard media tools (ffmpeg, ffprobe) and package management
✓ File writes are scoped to the skill's declared workspace (/workspace/voice/) and learning files
✓ Cron jobs are documented with skill-owner intent, not external compromise