Baidu Speech Synthesis

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Baidu text-to-speech skill that uses disclosed credentials, sends selected text to Baidu, and writes generated audio files locally.

Install only if you are comfortable sending the selected text to Baidu and using Baidu TTS credentials on this machine. Use a dedicated Baidu key with quota or budget limits, avoid processing confidential scripts unless appropriate, and review batch input and output directories before running.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation describes capabilities to read/write files, access environment variables, make network requests to Baidu, and invoke shell tools like ffmpeg, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users and the platform may underestimate the skill's reach, especially because it handles sensitive credentials via environment variables and performs external network calls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal