Voice.ai Voices

The skill is generally well-documented and transparent, explicitly stating its network and file access behaviors. However, the `scripts/tts.js` file directly uses the user-provided `--output` argument for `fs.writeFileSync` and `fs.createWriteStream` without path sanitization. This introduces a path traversal vulnerability, allowing an attacker to write generated audio to arbitrary file paths (e.g., `../../../../etc/passwd`), potentially leading to data corruption or denial-of-service, which is a risky capability without clear malicious intent.