sag-voice
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill directs the user to install an external tool,
sag, from a third-party Homebrew repository (steipete/tap/sag). - [COMMAND_EXECUTION]: The skill relies on executing shell commands via Bash to interact with the
sagCLI. It specifically instructs the agent to run these processes in the background (&) and redirect error output to a local log file (~/.claude/.sag-error.log), which may obscure execution issues from immediate user view. - [CREDENTIALS_UNSAFE]: Instructions guide the user to store their
ELEVENLABS_API_KEYdirectly within shell profile files like~/.zshenvor~/.bash_profilefor persistence across sessions. - [DATA_EXFILTRATION]: The skill's primary function involves sending text data (project names and task summaries) to the external ElevenLabs API for speech synthesis.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it interpolates untrusted data, such as the current working directory name (
basename "$PWD") and task summaries, into shell commands. - Ingestion points: Untrusted data enters via the file system (directory names) and task context.
- Boundary markers: No explicit boundary markers or 'ignore' instructions are used in the command interpolation.
- Capability inventory: The skill executes shell commands via the
sagtool. - Sanitization: The project name undergoes minor character translation (
tr '_-' ' '), but the task summaries are interpolated without specific sanitization.
Audit Metadata