Back to skill

Security audit

Kokoro TTS

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward text-to-speech skill that sends requested text to a configured Kokoro endpoint and saves the returned MP3 locally.

Install this if you trust the Kokoro endpoint you will use. Prefer the localhost default, avoid sending secrets or sensitive private text to an untrusted remote server, and expect generated audio files to accumulate in the local media directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest description narrows the skill to a local TTS engine, which implies local-only processing. However, the skill documentation explicitly says it supports a local or remote Kokoro-TTS instance and allows configuring `KOKORO_API_URL` to point at `http://your-server:port/...`, expanding behavior beyond the manifest's stated scope.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The description says to use the skill when the user asks to 'say' something, which overlaps with common everyday speech and is not specific to text-to-speech requests. Without narrower trigger constraints or exclusion examples, this could cause unintended invocation in ordinary conversations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/tts.js:6