Back to skill

Security audit

Lipvoice Tts

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward LipVoice API helper, but users should treat uploaded voices, text, API keys, and model deletion as sensitive actions.

Install only if you are comfortable sending reference audio and TTS text to LipVoice using your API key. Use only voices you have permission to clone, avoid confidential recordings or text, verify output paths before writing files, and double-check the target audio-id before running the delete command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tainted flow: 'req' from os.environ.get (line 151, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
# 下载音频
                    try:
                        req = urllib.request.Request(voice_url, headers={'sign': API_KEY})
                        with urllib.request.urlopen(req, timeout=60) as response:
                            with open(output, 'wb') as f:
                                f.write(response.read())
                        print(f"✅ 合成完成!已保存到: {os.path.abspath(output)}")
Confidence
86% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares allowed tools but does not clearly disclose that it relies on environment secrets and external network access to transmit audio and text to a third-party API. This creates a capability-transparency gap: users may invoke the skill without understanding that sensitive input and API credentials are involved, increasing the risk of unintended data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill description emphasizes voice cloning and TTS, but the documented behavior also includes deleting voice models. A destructive operation that is not reflected in the high-level purpose can mislead users or orchestrators into invoking the skill with broader authority than expected, resulting in accidental permanent deletion of assets.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill description says it can create, list, and synthesize voices, but the code also implements deletion of existing voice models. This hidden destructive capability increases the risk of accidental or unauthorized data loss because users and integrators may invoke the skill without realizing it can remove remote assets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation does not clearly warn that uploaded reference audio and TTS text are sent to an external enterprise API and that synthesized audio is written to local storage. Because voice samples and text may contain sensitive biometric or personal data, insufficient disclosure can lead to unintentional privacy and data-handling violations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The delete command is documented as a routine operation without any warning that model removal may be permanent. In a skill handling user-created assets, missing cautions around irreversible actions increases the chance of accidental destructive use and loss of voice models.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The upload path reads a local audio file and transmits it to a remote voice-cloning service without any explicit privacy notice or consent reminder. Because voice samples are sensitive biometric-like data and may contain personal information, silent upload can create privacy, compliance, and user-expectation risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The delete command permanently removes a remote voice model immediately, without a confirmation prompt or other guardrail. In a command-line or agent-driven context, this makes accidental destructive actions more likely and can lead to loss of user-created models.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.