Context-Inappropriate Capability
Medium
- Confidence
- 93% confidence
- Finding
- The script performs an implicit `pip3 install -q edge-tts` at runtime if `uv` and `edge-tts` are not already present. This expands the skill's behavior from local text-to-speech generation to network-based package installation and execution of newly fetched code, which creates supply-chain risk, non-deterministic behavior, and unexpected environment modification. In the context of an agent skill, this is more dangerous because simply invoking TTS can trigger dependency installation without explicit user consent.
