Back to skill

Security audit

Voice Ai Tts

Security checks across malware telemetry and agentic risk

Overview

This is a mostly normal Voice.ai text-to-speech skill, but it also exposes Voice.ai account voice update and permanent delete actions beyond the main TTS purpose.

Install only if you are comfortable giving this skill a Voice.ai API key and treating it as TTS plus voice management, not just audio generation. Avoid exposing broad account credentials to agents unless you accept that the shipped SDK/spec can update or permanently delete Voice.ai voice assets; check output paths before generating audio.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is presented as a text-to-speech utility, but the documented SDK surface includes broader voice-management operations such as listing, retrieving, and deleting voices. This capability mismatch can cause users or orchestrators to grant trust to a skill that can perform destructive account-level API actions beyond expected synthesis, increasing the risk of unauthorized or accidental deletion.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation emphasizes voice synthesis use, yet the quick reference exposes deleteVoice, a destructive operation unrelated to basic TTS. Even if legitimate, undocumented deletion capability expands the attack surface and could be invoked by downstream tooling or users who assume the skill is non-destructive.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The changelog claims risk-reducing removal of broader voice features, but nearby SDK documentation still advertises destructive voice-management behavior including deletion. This inconsistency undermines trust and can mislead reviewers into believing the bundle is less capable than it actually is, which is dangerous when account-modifying operations remain exposed.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The SDK exposes voice-management capabilities including update and deletion of remote voice resources, but the skill metadata only describes text-to-speech synthesis. This capability mismatch is dangerous because consumers may grant or invoke the skill expecting read/generate-only behavior, while the code can modify or remove remote assets tied to the user's account.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The SDK includes helpers that write generated or streamed audio to arbitrary local filesystem paths, but the manifest does not disclose local file-writing behavior. This is risky because downstream agents or users may treat the skill as network-only TTS generation while it can persist data anywhere the process has write access, enabling unintended overwrites or data placement.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill is presented as a text-to-speech capability, but it also exposes administrative voice-management actions including update and permanent delete operations. That scope expansion increases the chance that users or downstream agents invoke destructive actions they did not expect from a TTS-focused integration, which can lead to accidental data loss or unauthorized modification if the hosting platform does not add strong confirmation and permission controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The generateSpeechToFile helper writes audio directly to a caller-provided path with no warning, prompt, or safety checks. In an agent context, this can lead to silent persistence or overwriting of files if an untrusted prompt or tool invocation controls the output path.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The streaming helper pipes remote audio data directly into a local file at an arbitrary path without any user-facing disclosure or path restriction. This creates silent file-write behavior and can be abused to place large or unexpected content on disk, or overwrite accessible files in agent/runtime environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal