06 Tts Voice

Security checks across malware telemetry and agentic risk

Overview

This is a small text-to-speech skill whose external API use matches its stated purpose, though users should treat submitted dialogue as shared with the configured TTS provider.

Install only if you trust the TTS provider you configure in API_BASE. Avoid submitting secrets, private personal data, or sensitive unpublished dialogue unless that provider is acceptable for your use case, and use a limited API key that can be rotated or revoked.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill sends the full user-provided dialogue to an external TTS endpoint, which is a privacy-relevant data transfer. Even if this is functionally necessary, the code contains no notice, consent check, minimization, or restriction on what user content may be transmitted, so sensitive user text could be disclosed to a third party without user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal