Back to skill

Security audit

Voice.ai Voices

Security checks across malware telemetry and agentic risk

Overview

This skill mainly does Voice.ai text-to-speech, but it also exposes account voice update and permanent delete actions that deserve review before installation.

Install only if you are comfortable giving this skill a Voice.ai API key that may be usable for voice management, not just speech generation. Use the narrowest API key available, review any voice update/delete action before allowing it, avoid sending confidential text for synthesis, and choose output paths carefully so generated audio does not overwrite important files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill is presented primarily as a text-to-speech generator, but the documented SDK surface includes broader voice-management operations such as get/list and especially delete. This mismatch can cause users or orchestrators to grant trust appropriate for a low-risk TTS skill while the bundled code exposes destructive API actions against the user's Voice.ai account.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The SDK quick reference expands the apparent scope from speech synthesis to voice-management, including deletion, while the rest of the skill markets itself as TTS-focused. This can mislead reviewers and users about the true authority of the tool and increase the chance of unintended destructive use.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
A deleteVoice capability is not necessary for ordinary text-to-speech generation and violates the principle of least privilege for this skill's stated purpose. If invoked accidentally or by a higher-level agent, it could delete user resources in the external Voice.ai account.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
generateSpeechToFile writes attacker- or caller-controlled content to an arbitrary filesystem path without validation or sandboxing. In an agent environment, if untrusted input can influence outputPath, this can overwrite local files, drop payloads in sensitive locations, or modify application state beyond the stated TTS purpose.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
streamSpeechToFile streams remote data directly into an arbitrary local path, creating the same file-write primitive with potentially larger or unbounded content. In a skill/agent setting, this broadens impact because it can persist remote-controlled data to disk and overwrite files if path control is exposed.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest markets the skill primarily as text-to-speech, but the available tools also include privileged state-changing operations such as update_voice and delete_voice. This mismatch can mislead users or higher-level agents into granting the skill broader trust than intended, increasing the chance of accidental destructive actions against voice assets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows a destructive `deleteVoice` example without any warning, confirmation requirement, or discussion of consequences. In agentic environments, example code often becomes operational behavior, so omission of safety guidance materially raises the risk of accidental deletion.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.