Skills
skills/b-open-io/prompts/voice-clone/Gen Agent Trust Hub

voice-clone

Warn

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The cmdSource function in scripts/voice-clone.ts allows users to specify local file paths via the --files argument. The script resolves these paths and copies the files to an output directory using readFileSync and writeFileSync without validating the file type or restricting access to specific directories. This creates a significant data exposure surface where an agent could be manipulated into reading sensitive system files (e.g., .ssh keys or .env files) and exposing them in the skill's output folder.
  • [COMMAND_EXECUTION]: The skill executes external binaries such as ffmpeg and yt-dlp using Bun.spawn. While arguments are passed as an array (reducing direct shell injection risks), the command parameters are constructed from user-provided inputs like directory paths and durations, which could be abused if specially crafted strings are passed to these underlying tools.
  • [EXTERNAL_DOWNLOADS]: The source command can download audio files from arbitrary URLs provided via the --url argument. This functionality can be used to fetch content from untrusted remote servers and could potentially be leveraged for Server-Side Request Forgery (SSRF) attacks if the agent is tricked into accessing internal network resources.
  • [CREDENTIALS_UNSAFE]: The skill requires a sensitive ELEVENLABS_API_KEY to function. The script retrieves this credential from environment variables and transmits it in headers to the ElevenLabs API. While this is a standard pattern for such integrations, it represents a credential handling risk if the environment or the script execution is compromised.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its ingestion of untrusted external data.
  • Ingestion points: URLs and local file paths provided to the source command in scripts/voice-clone.ts.
  • Boundary markers: None. There are no delimiters or instructions to ignore embedded commands in the processed data.
  • Capability inventory: Bun.spawn (executing ffmpeg/yt-dlp), fetch (network requests to arbitrary URLs and ElevenLabs API), and file system read/write operations.
  • Sanitization: None. The script does not sanitize or validate input paths or URLs before processing them.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 16, 2026, 03:27 AM