ClawHub

Ressemble TTS e STT

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Resemble AI text-to-speech and speech-to-text wrapper, with some privacy and input-handling caveats but no evidence of hidden or malicious behavior.

Install only if you are comfortable sending selected text, uploaded audio, and your Resemble API key to Resemble AI. Avoid sensitive or regulated content unless that third-party processing is approved, prefer a limited API key, and expect unusual quotes or special characters in TTS text to cause malformed requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user-provided text and audio to an external third-party API, but the description does not clearly warn users that potentially sensitive content leaves the local environment. This creates a privacy and data-governance risk because users may submit confidential speech or text without informed consent or awareness of external processing and retention.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script uploads a local audio file to Resemble AI's external speech-to-text API, but it does not explicitly warn the user that the file contents will leave the local system and be processed by a third party. This is a real privacy/security issue because audio may contain sensitive personal, business, or regulated information, and users may invoke the skill without understanding the data transfer implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends arbitrary user-provided text to Resemble AI's external synthesis endpoint without any explicit notice, consent prompt, or privacy warning. This creates a real data exposure risk because users may input sensitive content assuming local processing, and the skill context is a TTS integration where external transmission is expected technically but still requires transparent disclosure to be safe.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "🔊 Generating speech..."

RESPONSE=$(curl -s -X POST "https://f.cluster.resemble.ai/synthesize" \
  -H "Authorization: Bearer $RESEMBLE_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{
Confidence
90% confidence
Finding
curl -s -X POST "https://f.cluster.resemble.ai/synthesize" \ -H "Authorization: Bearer $RESEMBLE_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal