SAM TTS

The skill provides text-to-speech functionality using the `sam-js` Node.js library. While the `SKILL.md` instructs the agent to pass user-provided text to a Node.js script (`scripts/sam-tts-wrapper.js`), the script itself processes this input as data via a JavaScript function call (`sam.buf8()`), not as a shell command. This design prevents shell injection vulnerabilities. The skill's file system access is limited to temporary WAV files in `/tmp` and its own state file (`memory/sam-mode.json`). The `SKILL.md` also explicitly instructs the agent to seek user consent before installing optional dependencies like `ffmpeg`, demonstrating good security practice. No evidence of data exfiltration, persistence, or other malicious intent was found.