Back to skill

Security audit

🗣️ Edge-TTS Skill using uvx

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for text-to-speech use, but the text being converted may be processed by Microsoft's online TTS service.

Install this only if you are comfortable using uvx to run edge-tts and sending the text you convert to Microsoft's TTS service. Avoid converting secrets, credentials, confidential documents, regulated data, or private messages unless that external processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-provided text to Microsoft's Edge TTS service, but the description does not warn that input leaves the local environment and is transmitted to a third party. This can cause unintentional disclosure of sensitive or regulated data if users assume the tool is local-only, especially because the skill is framed as a generic TTS utility without privacy caveats.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.