sag-voice

Pass

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill directs the user to install an external tool, sag, from a third-party Homebrew repository (steipete/tap/sag).
  • [COMMAND_EXECUTION]: The skill relies on executing shell commands via Bash to interact with the sag CLI. It specifically instructs the agent to run these processes in the background (&) and redirect error output to a local log file (~/.claude/.sag-error.log), which may obscure execution issues from immediate user view.
  • [CREDENTIALS_UNSAFE]: Instructions guide the user to store their ELEVENLABS_API_KEY directly within shell profile files like ~/.zshenv or ~/.bash_profile for persistence across sessions.
  • [DATA_EXFILTRATION]: The skill's primary function involves sending text data (project names and task summaries) to the external ElevenLabs API for speech synthesis.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it interpolates untrusted data, such as the current working directory name (basename "$PWD") and task summaries, into shell commands.
  • Ingestion points: Untrusted data enters via the file system (directory names) and task context.
  • Boundary markers: No explicit boundary markers or 'ignore' instructions are used in the command interpolation.
  • Capability inventory: The skill executes shell commands via the sag tool.
  • Sanitization: The project name undergoes minor character translation (tr '_-' ' '), but the task summaries are interpolated without specific sanitization.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 16, 2026, 03:11 AM
Security Audit — agent-trust-hub — sag-voice