Azure Speech Tts

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Azure text-to-speech helper that discloses its Azure credential use, sends user-provided text or SSML to Azure, and writes local audio output.

Install only if you are comfortable sending the text or SSML you provide to Azure Speech. Use a dedicated Azure Speech key, keep it in environment variables rather than config files, and review any --output or --save-ssml path because the helper will write to the path it is given.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation describes access to environment secrets, local file reads/writes, and outbound network use, but it does not declare any permissions or constraints for those capabilities. This weakens reviewability and policy enforcement because operators cannot easily see that the skill will use Azure credentials, read local inputs, write arbitrary output files, and contact a remote service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal