ClawHub

TTS

Security checks across malware telemetry and agentic risk

Overview

This TTS skill is purpose-aligned, but users should know their text is sent to an external speech service and generated audio may persist on disk.

Install only if you are comfortable sending the text you provide to the external TTS service. Avoid using it for secrets, private documents, regulated data, or sensitive personal content unless you trust that service, and delete generated MP3 files if they should not remain on disk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs user text to a third-party hosted TTS service but does not disclose that potentially sensitive user content will be transmitted off-platform. In this context, users may submit private documents, messages, or scripts for speech generation, so the lack of a privacy warning and consent step creates a real data exposure risk.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The workflow instructs saving generated MP3 files to persistent user storage without telling the user that an output artifact will be written and retained there. This can leave sensitive spoken versions of private text stored on disk longer than the user expects, increasing exposure to later access or accidental sharing.

External Transmission

Medium
Category
Data Exfiltration
Content
### POST (recommended for longer text or programmatic use)

```bash
curl -X POST https://tts.102465.xyz/api/tts \
  -H "Content-Type: application/json" \
  -d '{"text":"你好世界","voice":"晓晓","emotion":"温柔","provider":"azure"}' \
  --output output.mp3
Confidence
90% confidence
Finding
curl -X POST https://tts.102465.xyz/api/tts \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal