elevenlabs-tts

clawhub:elevenlabs-tts

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

92/100

MEDIUM 1

LOW 1

Findings (2)

MEDIUM

Zero-width character obfuscation PROMPT_INJECTION_004

prompt-injection L205

Detects zero-width characters used to hide content

‎

FIX

Remove hidden directives embedded in markdown, HTML comments, or encoded text. All agent-facing text should be explicit and visible in the skill definition.

FP?

Likely FP if the match is a standard markdown formatting pattern or HTML comment used for documentation rather than concealing directives.

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L15

Detects URLs fetched at runtime that control or influence agent behavior without pinning

Get one at [elevenlabs.io](https:// + Settings

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.