Back to skill

Security audit

mmEasyVoice

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MiniMax voice-generation skill, but it sends chosen text and voice samples to a third-party API and includes advanced voice features beyond its short summary.

Install only if you are comfortable using a MiniMax API key and sending selected text, text files, and voice samples to MiniMax. Use cloning only for voices you own or have permission to use, avoid confidential content unless MiniMax's terms fit your needs, and verify output paths before writing or converting files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_ffmpeg_command(args: List[str], timeout: int = 300) -> bool:
    """Execute ffmpeg command with given arguments"""
    try:
        result = subprocess.run(
            ["ffmpeg"] + args,
            capture_output=True,
            text=True,
Confidence
92% confidence
Finding
result = subprocess.run( ["ffmpeg"] + args, capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # Use ffprobe to get format info
        result = subprocess.run(
            [
                "ffprobe", "-v", "quiet",
                "-print_format", "json",
Confidence
78% confidence
Finding
result = subprocess.run( [ "ffprobe", "-v", "quiet", "-print_format", "json", "-show_format", "-show_streams",

Tainted flow: 'url' from os.getenv (line 161, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
Returns:
        Saved file path
    """
    response = requests.get(url, timeout=timeout)
    response.raise_for_status()
    
    with open(output_path, "wb") as f:
Confidence
90% confidence
Finding
response = requests.get(url, timeout=timeout)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is presented as a simple text-to-speech utility, but the documented behavior extends into voice cloning, voice design, long-text task orchestration, file upload, and broader audio processing. This mismatch can mislead users and automated policy systems into granting trust or permissions under a narrower mental model than the skill actually requires.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file exposes materially broader capabilities than the declared skill purpose of 'simple text-to-speech,' including voice cloning, voice design, audio manipulation, and environment checks. This kind of scope mismatch is dangerous because it expands the attack and abuse surface beyond what a user or reviewer would reasonably expect, especially where biometric-like voice features are involved.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Voice cloning is a sensitive capability that can enable impersonation, social engineering, and misuse of uploaded voice samples, and it is not justified by the stated purpose of a simple TTS skill. In this context, the mismatch makes the feature more dangerous because users may provide audio without realizing they are invoking a cloning workflow with significant privacy and abuse implications.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Voice design is outside the stated scope of a simple TTS skill and creates hidden capability expansion beyond user expectations. While less directly harmful than cloning, it still broadens functionality in a way that can support deceptive audio generation and undermines trust in the skill's declared behavior.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module docstring openly describes a multi-function tool that conflicts with the manifest's simple TTS positioning, evidencing a documentation and disclosure mismatch. Such inconsistencies are dangerous because they can conceal unexpected capabilities from reviewers and users, reducing informed consent and proper risk assessment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The guide documents voice cloning and voice design features that materially exceed the manifest’s stated scope of 'simple text-to-speech'. This scope mismatch can mislead users, reviewers, or policy controls about the skill’s actual capabilities, increasing the risk of unauthorized biometric voice cloning or unreviewed API operations being exposed through the skill.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file presents the package as a broad SDK with capabilities far beyond the declared 'simple text-to-speech' skill, including voice cloning, voice design, voice management, async workflows, file upload, and FFmpeg-based processing. In an agent-skill context, this scope mismatch increases attack surface and enables unintended high-risk operations that users and policy controls may not expect from a simple TTS tool.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The public API exposes destructive voice-management functions such as delete operations and cleanup routines despite the skill being described as simple TTS. If an agent or user invokes these unexpectedly, custom voices or related assets could be deleted, causing unauthorized modification or loss of resources.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill exports voice cloning and voice design functionality that is not reflected in the manifest's simple TTS description. These features are materially more sensitive because they can create or emulate voices, raising impersonation, consent, and policy risks if exposed under misleading scope.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The top-level docstring explicitly advertises a complete SDK with broad voice-management and cloning features, contradicting the manifest's narrow simple-TTS framing. In a skill ecosystem, misleading capability descriptions are dangerous because reviewers, users, and automated permission systems may under-assess the real operational scope.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Using local `ffmpeg`/`ffprobe` binaries materially expands the skill's capability beyond a simple API-based TTS wrapper and introduces a large native parsing and file-processing attack surface. In this context, the mismatch is security-relevant because the skill can read, transform, and write arbitrary local media through subprocesses not obviously required by the manifest.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements full voice-cloning workflows, including uploading source audio, prompt audio, and creating reusable cloned voices, which materially exceeds the stated skill scope of simple text-to-speech. Scope mismatch is dangerous because users or downstream agents may invoke biometric voice replication capabilities they did not knowingly authorize, increasing abuse risk such as impersonation or deceptive audio generation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The module exposes destructive voice-deletion operations that are not aligned with the skill's declared purpose of simple text-to-speech generation. In an agent/skill context, adding deletion primitives increases the blast radius of misuse or prompt-driven invocation, enabling unauthorized or accidental removal of user-created voice assets.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The cleanup function enumerates all cloned and designed voices and deletes them in bulk, which is a highly destructive capability unrelated to the advertised text-to-speech function. In a tool-using agent environment, a single mistaken or manipulated call could wipe all custom voices, causing irreversible loss of user assets and service disruption.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The voice-cloning flow accepts a user-provided audio file and passes it into cloning logic without any explicit privacy disclosure, consent prompt, or warning about remote processing. This is dangerous because voice samples are sensitive personal data and may be uploaded or retained by upstream services, creating privacy, compliance, and misuse risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function uploads a local text file to a third-party API, but the module provides no explicit user-facing notice or consent step indicating that file contents will leave the local environment. In a TTS skill, users may reasonably pass sensitive manuscripts, transcripts, or documents, so silent exfiltration to a remote service creates a real privacy and data-handling risk even if it is part of intended functionality.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends arbitrary input text to a remote TTS endpoint without any explicit warning at the call site or enforced acknowledgement that user content is being transmitted off-device. Because this skill is specifically designed to convert user-provided text to speech, it is likely to handle potentially sensitive content, making undisclosed remote transmission a meaningful privacy issue rather than a mere implementation detail.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function unconditionally deletes files listed in `temp_files`, and those paths can come from segment-provided `output_path` values. If an attacker can influence segment metadata, they may be able to cause deletion of arbitrary files accessible to the process, especially because no ownership, directory, or temporary-file validation is performed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The module sends user-provided segment text to a remote HTTP TTS API, which can expose sensitive or regulated content if users assume processing is local. In a skill advertised as simple TTS, lack of an explicit disclosure about network transmission increases the risk of inadvertent data leakage, especially for private prompts, transcripts, or confidential text.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This helper silently downloads remote content and saves it locally, which creates a security boundary crossing without any built-in disclosure, validation, or confirmation. In this skill's TTS context, writing audio files is expected, but the generic implementation still makes misuse easier because any reachable URL can be fetched and stored.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function uploads a local audio sample to a third-party API for the purpose of voice cloning without any built-in user-facing disclosure, confirmation, or consent mechanism. Because voice recordings are sensitive biometric data, silent external transmission can expose private speech, identity traits, or regulated personal data to an external processor without informed user approval.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This prompt-audio upload path sends an additional voice sample to the remote API, again without an explicit disclosure that sensitive voice data is leaving the local environment. The risk is amplified because prompt audio is specifically intended to improve cloning fidelity, making misuse or unauthorized impersonation easier if the upload occurs without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.