Jarvis Tts

Security checks across malware telemetry and agentic risk

Overview

This is a coherent text-to-speech skill that sends requested text to Microsoft Edge TTS and plays the generated audio locally.

Install if you are comfortable with requested speech text being sent to Microsoft Edge TTS and audio being played on the local machine. Avoid using it for secrets, private messages, or confidential business text unless that data handling is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill description uses broad triggers like voice output, audio responses, and text-to-speech, which overlap with many ordinary assistant requests. This increases the chance the skill is invoked unexpectedly, causing unintended command execution, network use, or audio playback when the user did not explicitly consent to using this specific tool.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation states that text is sent to Microsoft's TTS service, but it does not present a clear user-facing warning at point of use that user content leaves the local system. This is dangerous because users may provide sensitive or confidential text assuming local processing, resulting in unintended disclosure to a third party.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal