xiaomi-mimo-v2-tts

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward cloud text-to-speech tool, but the text you provide is sent to Xiaomi MiMo and the audio is saved locally.

Install this only if you are comfortable sending the text you want spoken, plus any optional --user-msg context, to Xiaomi MiMo. Avoid using it for confidential, regulated, or private text unless Xiaomi's terms and your own data-handling rules allow it; store MIMO_API_KEY with the same care as other API credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script sends the provided text and optional user-role context directly to a third-party API, which can expose sensitive or proprietary content if users assume processing is local. In an agent skill context, this is meaningful because both the main text and the optional contextual prompt may contain private data, and the code does not enforce consent, redaction, or any visible disclosure at the point of transmission.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal