Kittentts

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform its stated audio/Telegram integration without evidence of malware, but users should understand that generated audio may leave the local machine.

Install only if you are comfortable with generated speech audio being sent through Telegram. Do not use it for confidential text unless you have checked the skill's configuration and know exactly which Telegram account or chat receives the audio.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation states that generated audio will be automatically sent via Telegram when used with OpenClaw's `tts` tool, but it does not present this behavior as a clear user-facing warning or consent boundary. This creates a real risk of unintended data exfiltration, especially if users synthesize sensitive text locally under the assumption that processing remains local.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal