Back to skill

Security audit

tts-winmsg-free

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local Windows text-to-speech helper, but it uses PowerShell and local window messages in ways users should understand before enabling it.

Install only on a Windows machine where you want assistant replies spoken aloud. While TTS mode is enabled, visible replies are sent to a local process and may be heard nearby; other local software could potentially send messages to the same window. Use the documented quit command when done, and prefer a tighter direct speech implementation if you need stronger local hardening.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except: pass
        e = t.replace("'","''")
        log(f"Play vol={cv} text={t[:20]}")
        subprocess.run(
            ["powershell","-ExecutionPolicy","Bypass","-NoProfile","-c",
             "Add-Type -AssemblyName System.Speech; "
             "$s=New-Object System.Speech.Synthesis.SpeechSynthesizer; "
Confidence
92% confidence
Finding
subprocess.run( ["powershell","-ExecutionPolicy","Bypass","-NoProfile","-c", "Add-Type -AssemblyName System.Speech; " "$s=New-Object System.Speech.Synthes

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"$s.Rate={cs};$s.Volume={cv};$s.Speak('{t.replace(chr(39),chr(39)+chr(39))}')"
    )
    b64 = base64.b64encode(cmd.encode("utf-16-le")).decode()
    subprocess.run(
        ["powershell","-ExecutionPolicy","Bypass","-NoProfile",
         "-EncodedCommand", b64],
        timeout=30, capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( ["powershell","-ExecutionPolicy","Bypass","-NoProfile", "-EncodedCommand", b64], timeout=30, capture_output=True, creationflags=0x08000000)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to invoke local Python scripts and implicitly use shell execution, while also reading and writing local files such as config and HWND state files, but it declares no permissions. This creates a dangerous mismatch between the skill's documented behavior and its declared trust boundary, reducing user visibility and policy enforcement around local code execution and filesystem access.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Using PowerShell with -ExecutionPolicy Bypass grants a more permissive script execution environment than the TTS feature requires. Even if the current script body is intended only for speech synthesis, this choice lowers defenses and broadens the blast radius if command construction is influenced or the invocation path is reused elsewhere. In a local message-driven skill, that makes the design more dangerous rather than less.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Using powershell with -ExecutionPolicy Bypass gives the skill a stronger execution capability than needed for speech synthesis. In this context the process is fed data from interprocess messages, so any flaw in command construction or future modification would run under a policy-bypassing PowerShell host, increasing the consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The window procedure accepts WM_COPYDATA from external senders and immediately enqueues the received text for speech without authentication, consent, or origin checks. This allows any local process that can message the window to trigger arbitrary spoken output, enabling harassment, social-engineering audio, or denial-of-service through spammy playback. The skill context increases risk because playback is automatic and user-visible but not user-approved per message.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.