Fish Tts

Security checks across malware telemetry and agentic risk

Overview

This TTS skill is not clearly malicious, but it needs Review because it embeds a NextCloud password and uploads generated audio to a fixed NextCloud service by default.

Install only if you control the referenced Fish Audio and NextCloud services. Rotate or remove the embedded NextCloud password, set your own scoped credentials, confirm the destination URL and folder, and avoid sensitive text unless you are comfortable sending it to the configured TTS service and storing the audio in NextCloud.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The function claims to upload a file to NextCloud, opens the file, but never sends its contents in the PUT request. This creates integrity and reliability problems: callers may believe sensitive audio was successfully stored when it was not, which can break workflows and lead to incorrect assumptions about retention, delivery, or auditability.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The health-check logic reports Fish Audio S1 and OpenVoice V2 as "error" when the output file exists and "working" when it does not, which is the inverse of expected behavior. This can mislead operators into trusting broken services or troubleshooting healthy ones, weakening monitoring and incident response.

Missing User Warnings

High

Confidence: 100% confidence
Finding: The skill embeds a real-looking NextCloud password directly in documentation and script defaults, which exposes a reusable secret to anyone who can read the file. Hard-coded credentials are frequently harvested from repos, logs, and skill packs, enabling unauthorized access to remote storage and any data contained there.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to send text to a TTS service and upload resulting audio to NextCloud without clearly warning that potentially sensitive content leaves the local workflow and is stored remotely. In this context, users may unknowingly transmit confidential prompts, generated speech, or metadata to network services and persistent storage.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill sends user-provided text to external TTS services and then uploads generated audio to NextCloud without any explicit consent, warning, or data-handling notice. If the text contains secrets, personal data, or proprietary content, this behavior can cause unintended disclosure to network services and storage systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal