Trust Assessment
elevenlabs-tts received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 3 critical, 5 high, 0 medium, and 1 low severity. Key findings include Covert behavior / concealment directives, Arbitrary command execution, Dangerous tool allowed: exec.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shaharsha/elevenlabs-tts/lib/audio_convert.py:49 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/shaharsha/elevenlabs-tts/lib/audio_convert.py:89 | |
| CRITICAL | Command Injection in audio concatenation via ffmpeg -safe 0 The `concat_audio` function in `lib/audio_convert.py` uses `subprocess.run` to execute `ffmpeg` with the `-safe 0` option for its concat demuxer. This option disables security checks, allowing `ffmpeg` to interpret arbitrary file names as options. User-controlled input file paths (`input_files` from `sys.argv`) are written to a temporary concat list file using `file 'path'`. If an `input_file` path contains a single quote, it can break out of the string and inject arbitrary `ffmpeg` options. This can lead to arbitrary file read/write, denial of service, or information disclosure. Remove the `-safe 0` flag from the `ffmpeg` command in `concat_audio`. If arbitrary file names are truly required, implement robust escaping for paths written to the concat list file to prevent injection. Additionally, validate user-provided `input_files` to ensure they are legitimate file paths and do not contain malicious characters or `ffmpeg` options. | LLM | lib/audio_convert.py:76 | |
| HIGH | Dangerous tool allowed: exec The skill allows the 'exec' tool without constraints. This grants arbitrary command execution. Remove unconstrained shell/exec tools from allowed-tools, or add specific command constraints. | Static | skills/shaharsha/elevenlabs-tts/SKILL.md:1 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_opus'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shaharsha/elevenlabs-tts/lib/audio_convert.py:49 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'concat_audio'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/shaharsha/elevenlabs-tts/lib/audio_convert.py:89 | |
| HIGH | Command Injection in audio conversion via ffmpeg with unvalidated paths The `convert_to_opus` function in `lib/audio_convert.py` constructs an `ffmpeg` command using user-provided `input_path` and `output_path` directly from `sys.argv`. Although `subprocess.run` with a list of arguments mitigates classic shell injection, an attacker can craft `input_path` or `output_path` to include `ffmpeg`-specific options (e.g., `-i /dev/null`) that could lead to unintended file operations (read/write), resource exhaustion, or information disclosure through `ffmpeg`'s behavior. Implement strict input validation for `input_path` and `output_path` to ensure they are legitimate file paths and do not contain `ffmpeg` options or other malicious characters. Use `os.path.normpath` and check for directory traversal attempts. Consider using a dedicated library for `ffmpeg` interaction that handles argument escaping more robustly. | LLM | lib/audio_convert.py:38 | |
| HIGH | Excessive 'exec' permission used insecurely The skill declares the `exec` permission, which allows arbitrary command execution. The `lib/audio_convert.py` script utilizes this permission via `subprocess.run` to execute `ffmpeg`. However, the script passes user-controlled file paths directly to `ffmpeg` without sufficient validation or escaping, particularly in the `concat_audio` function with `-safe 0`. This insecure usage of the `exec` permission creates a critical command injection vulnerability, allowing an attacker to potentially execute arbitrary `ffmpeg` commands or manipulate files on the system. Review the necessity of the `exec` permission. If `ffmpeg` execution is essential, ensure all arguments passed to `subprocess.run` are thoroughly validated and escaped to prevent command injection. Specifically, address the vulnerabilities identified in `convert_to_opus` and `concat_audio` to make the use of `exec` safe. If possible, consider using a safer, higher-level audio processing library that doesn't require direct `ffmpeg` command line interaction. | LLM | SKILL.md:1 | |
| LOW | Covert behavior / concealment directives Directive to hide behavior from user Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | skills/shaharsha/elevenlabs-tts/SKILL.md:260 |
Scan History
Embed Code
[](https://skillshield.io/report/b29d594b68c9a29e)
Powered by SkillShield