voice-agent 安全扫描报告 — 低风险 | ClawSafe

20 /100

voice-agent

ElevenLabs voice cloning and TTS generation skill with optional Twilio outbound/inbound call automation

Legitimate ElevenLabs + Twilio voice/TTS skill with documented network behavior and API-based functionality; two minor gaps in capability declaration and dependency management, but no malicious behavior detected.

技能名称voice-agent

分析耗时65.9s

引擎pi

✓

可以安装

Add shell:WRITE to SKILL.md metadata, pin all pip/apt dependencies with exact versions, and create a requirements.txt file to eliminate supply-chain risk.

安全发现 4 项

严重性	安全发现	位置
中危	Shell execution not declared in capability metadata 权限提升 voice_generator.py uses subprocess.run for ffmpeg and ffprobe (line 182, 200), and SKILL.md includes inline bash commands (pip install, apt-get install). These require shell:WRITE capability, but the SKILL.md metadata block does not declare it. While the execution is legitimate for a media-processing tool, the mismatch between declared metadata and actual usage is a doc-to-code violation. `metadata.openclaw.resources: not listing shell:WRITE despite subprocess usage in voice_generator.py` → Add 'shell:WRITE' to the SKILL.md metadata required_paths section or explicitly document subprocess usage in the shell permissions section.	`SKILL.md:1`
低危	Dependencies not pinned to specific versions 供应链 SKILL.md instructs 'pip install elevenlabs --break-system-packages' and 'pip install twilio' without version specifiers. No requirements.txt or package.json exists. This creates a supply-chain risk where future malicious or compromised versions of elevenlabs/twilio could be installed. `pip install elevenlabs --break-system-packages` → Pin versions: pip install elevenlabs==1.0.0 elevenlabs-voice==X.Y.Z. Create a requirements.txt and commit it to the repository.	`SKILL.md:266`
低危	Runtime dependency installation without version pinning 供应链 The error handling section instructs 'apt-get install -y ffmpeg' and 'pip install requests --break-system-packages' without version constraints. The requests library is installed as a fallback in tts_chunk() (line 143) but is not version-pinned. `apt-get install -y ffmpeg` → Pin system packages (apt-get install -y ffmpeg=<version>) and add requests==<version> to a requirements.txt.	`SKILL.md:497`
提示	Cron schedule documented but not declared as persistence 文档欺骗 SKILL.md documents cron jobs for daily outbound calls and weekly VSL refresh (lines 557-563). Cron jobs are a persistence mechanism but are not listed as a threat category in findings. They are documented with the skill owner's intent, making this informational rather than a violation. `0 10 * * 1-5 voice-agent → process /workspace/voice/calls/pending/` → Document that cron is owned by the skill operator (Wesley) and not an external party.	`SKILL.md:557`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ+WRITE`	`READ+WRITE`	✓ 一致	SKILL.md metadata required_paths read/write lists /workspace/voice/* and /worksp…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md metadata network_behavior declares api.elevenlabs.io and api.twilio.com…
命令执行	`NONE`	`WRITE`	✓ 一致	voice_generator.py:182 subprocess.run(ffmpeg), voice_generator.py:201 subprocess…
环境变量	`NONE`	`READ`	✓ 一致	get_api_key() reads os.environ.get('ELEVENLABS_API_KEY') — environment access is…
技能调用	`READ`	`READ`	✓ 一致	SKILL.md requires virtual-desktop skill for self-configuration phase

13 项发现

🔗

中危外部 URL 外部 URL

https://elevenlabs.io

SKILL.md:36

🔗

中危外部 URL 外部 URL

https://api.elevenlabs.io

SKILL.md:37

🔗

中危外部 URL 外部 URL

https://api.twilio.com

SKILL.md:38

🔗

中危外部 URL 外部 URL

https://elevenlabs.io/app/sign-in

SKILL.md:110

🔗

中危外部 URL 外部 URL

https://api.elevenlabs.io/v1/user

SKILL.md:270

🔗

中危外部 URL 外部 URL

https://api.elevenlabs.io/v1/voices/add

SKILL.md:313

🔗

中危外部 URL 外部 URL

https://api.elevenlabs.io/v1/voices

SKILL.md:332

🔗

中危外部 URL 外部 URL

https://elevenlabs.io/app/home

SKILL.md:391

🔗

中危外部 URL 外部 URL

https://elevenlabs.io/app/settings/api-keys

SKILL.md:423

🔗

中危外部 URL 外部 URL

https://elevenlabs.io/app/voice-lab

SKILL.md:448

🔗

中危外部 URL 外部 URL

https://api.elevenlabs.io/v1/voices/$VOICE_ID

SKILL.md:479

🔗

中危外部 URL 外部 URL

https://api.elevenlabs.io/v1/text-to-speech/

voice_generator.py:118

📧

提示邮箱邮箱地址

[email protected]

README.md:31

目录结构

5 文件 · 42.1 KB · 1320 行

Markdown 3f · 961L Python 1f · 331L JSON 1f · 28L

├─ 📝 agent_prompt.md Markdown 78L · 2.7 KB

├─ 🔑 config.json ⚠ JSON 28L · 793 B

├─ 📝 README.md Markdown 104L · 2.7 KB

├─ 📝 SKILL.md Markdown 779L · 24.1 KB

└─ 🐍 voice_generator.py Python 331L · 11.8 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`elevenlabs`	`unpinned`	pip	否	No version specifier in SKILL.md pip install command; create requirements.txt
`requests`	`unpinned`	pip	否	Used as fallback HTTP library in tts_chunk(); no version pin
`twilio`	`unpinned`	pip	否	Optional dependency for call functionality; not version-pinned
`ffmpeg`	`unpinned`	apt	否	Runtime install via apt-get; used for audio concatenation

安全亮点

✓ No credential exfiltration — ELEVENLABS_API_KEY is read and used only for ElevenLabs API calls, never transmitted elsewhere

✓ No data exfiltration — generated audio and call transcripts are written to local paths only

✓ No obfuscation — no base64, no eval(), no encoded payloads

✓ No sensitive path access — no reads of ~/.ssh, ~/.aws, .env outside the skill's declared paths

✓ No reverse shell, C2, or remote code execution vectors

✓ API calls are to legitimate, declared endpoints (api.elevenlabs.io, api.twilio.com)

✓ Network behavior is clearly documented in SKILL.md network_behavior section

✓ Subprocess usage is confined to standard media tools (ffmpeg, ffprobe) and package management

✓ File writes are scoped to the skill's declared workspace (/workspace/voice/) and learning files

✓ Cron jobs are documented with skill-owner intent, not external compromise