ClawHub

Edge Tts Zh

Security checks across malware telemetry and agentic risk

Overview

This Chinese text-to-speech skill mostly matches its stated purpose, but it ships under-disclosed scripts that can silently modify the installed skill and add hidden audio playback behavior.

Review carefully before installing. The core TTS script does not show credential theft, broad data access, or exfiltration, and VirusTotal/static scan signals are clean. The practical concern is that the package includes undocumented patching scripts and automatic playback behavior. Install only if you are comfortable auditing/removing patch.py and fix.py, and expect generated audio to be played automatically rather than only saved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises shell execution plus file read/write behavior but declares no permissions, which undermines transparency and any permission-gating the platform may rely on. In this TTS context, reading arbitrary files for input and writing output files are expected capabilities, but undeclared shell access broadens risk because installation or playback commands could execute beyond pure synthesis behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The reported behavior goes beyond the stated TTS purpose by auto-playing audio and, more importantly, modifying its own scripts via fix.py/patch.py. Self-modifying or patching behavior is especially dangerous because it can alter trusted code after review, hide later malicious changes, or create persistence mechanisms unrelated to the declared function.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The patch injects automatic audio playback into another script, changing behavior from generating audio files to silently launching playback. This expands the skill’s capabilities beyond straightforward TTS generation and introduces unexpected side effects that can surprise users or be abused to trigger hidden execution paths.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The patch introduces PowerShell-based subprocess execution solely to launch generated output, which is a sensitive capability not required for basic text-to-speech generation. Adding shell invocation increases attack surface and can become dangerous if the interpolated path or surrounding invocation logic is ever influenced by untrusted input.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script directly overwrites another skill file at a hard-coded path without any backup, integrity check, user confirmation, or validation that the expected content was found before writing. In a skill package, self-modifying or cross-file modification is risky because it can silently alter runtime behavior and may be repurposed to tamper with code outside the user's awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script overwrites speak.py in place without prompting, backup, integrity verification, or user confirmation. Silent modification of another skill file is risky because it hides behavior changes and can permanently alter trusted code paths in a way users do not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The injected code performs hidden playback using a subprocess with WindowStyle Hidden and no explicit notice beyond stderr output. Hidden execution reduces transparency and can be used to mask behavior from users, which is especially concerning in a skill expected to generate speech artifacts rather than autonomously launch them.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal