ClawHub

Aliyun Qwen Tts

Security checks across malware telemetry and agentic risk

Overview

This text-to-speech skill mostly matches its purpose, but its helper script has under-scoped network and credential handling that should be reviewed before installation.

Install only if you are comfortable sending the text you synthesize to Alibaba Cloud DashScope and storing generated files locally. Before use, restrict or remove arbitrary base_url overrides, validate returned audio URLs against expected HTTPS DashScope/Alibaba hosts, add download time and size limits, and keep request payloads and generated audio in a private directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tainted flow: 'audio_url' from os.getenv (line 109, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
def download_audio(audio_url: str, output_path: Path) -> None:
    output_path.parent.mkdir(parents=True, exist_ok=True)
    with urllib.request.urlopen(audio_url) as response:
        output_path.write_bytes(response.read())
Confidence
91% confidence
Finding
with urllib.request.urlopen(audio_url) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of environment variables, local file reads/writes, and outbound network access, but does not declare any permissions or capability boundaries. This creates a transparency and policy-enforcement gap: operators cannot easily assess what the skill can access, and an execution framework may permit broader actions than intended.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells users to persist generated audio links, sample audio files, and request payloads without warning that these artifacts may contain sensitive text, personal data, or voice content. Storing such artifacts by default can lead to unintended retention, local disclosure, or later misuse of user-provided content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires an API key and sends user text to a remote DashScope service, but it does not clearly warn that prompts and content leave the local environment. For sensitive or regulated text, this omission can cause accidental disclosure to a third-party provider and compliance issues.

Session Persistence

Medium
Category
Rogue Agent
Content
## Validation

```bash
mkdir -p output/aliyun-qwen-tts
python -m py_compile skills/ai/audio/aliyun-qwen-tts/scripts/generate_tts.py && echo "py_compile_ok" > output/aliyun-qwen-tts/validate.txt
```
Confidence
82% confidence
Finding
mkdir -p output/aliyun-qwen-tts python -m py_compile skills/ai/audio/aliyun-qwen-tts/scripts/generate_tts.py && echo "py_compile_ok" > output/aliyun-qwen-tts/validate.txt ``` Pass criteria: command e

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal