Inworld TTS

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Inworld text-to-speech helper, but the text you convert is sent to Inworld.ai using your API key.

Install only if you are comfortable sending the chosen text to Inworld.ai for speech synthesis. Avoid using it with secrets, private customer data, or regulated content unless your Inworld account and policies allow that. Store the API key carefully, use the narrowest available permission, and skip the optional global symlink unless you need command-line access from anywhere.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to send arbitrary text to a third-party TTS provider without an explicit privacy or data-handling warning. Users may unknowingly transmit sensitive prompts, personal data, or confidential content to an external service, creating avoidable privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal