Skills
skills/wulaosiji/skills/voice-clone/Gen Agent Trust Hub

voice-clone

Fail

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE]: A hardcoded API key was identified in the sample code provided within the documentation.
  • Evidence: In SKILL.md, the WAVESPEED_KEY variable is assigned a default hardcoded string value: b9c67f3def268385bb9734970b11531f12ea24ae0d153859242e48ae46227668.
  • [DATA_EXFILTRATION]: The skill accesses local audio files and uploads their content to a remote server for processing.
  • Evidence: The clone_voice function in voice_clone.py reads a file from a local path, encodes it into Base64, and sends it to https://api.wavespeed.ai/api/v3/minimax/voice-clone via a POST request.
  • [EXTERNAL_DOWNLOADS]: The skill retrieves generated audio files from external URLs provided by the API service.
  • Evidence: The download_audio function in voice_clone.py uses the requests library to fetch and save binary content from an audio_url provided by the API predictions result.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 8, 2026, 02:24 AM