Tts

Security checks across malware telemetry and agentic risk

Overview

This text-to-speech skill appears to do what it claims, with expected use of provider API keys and local MP3 output.

Install only if you are comfortable sending the text you choose to Hume or OpenAI for speech generation. Provide only the API key for the provider you intend to use, do not set the unused HUME_SECRET_KEY unless the publisher clarifies a need, and choose a dedicated output path to avoid overwriting files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill clearly relies on environment secrets and outbound network access to third-party TTS providers, yet it declares no permissions. That mismatch weakens review and consent controls because operators and users are not explicitly informed that the skill can access API keys and transmit user-provided text externally.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill description omits important privacy and data-handling behavior: it saves generated audio to disk and sends user text to Hume AI or OpenAI. Without clear disclosure, sensitive content may be transmitted to third parties or retained locally in ways users and reviewers do not expect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal