Back to skill

Security audit

chichi-speech (local text-to-speech service with Qwen3-TTS model)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent text-to-speech and voice-cloning service with operational and consent risks, but no evidence of hidden, destructive, or exfiltrating behavior.

Install this in an isolated Python environment, expect large external ML/model downloads, and run it with --host 127.0.0.1 unless you deliberately want other machines to access it. Only use reference audio from speakers who have explicitly consented to voice cloning, and avoid using generated speech for impersonation, fraud, or misleading others. Pin and update dependencies before exposing the service beyond a trusted local machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes a REST service that listens on a network port and uses external resources, but the skill does not declare corresponding permissions or capabilities. This creates a transparency and policy-enforcement gap: operators may deploy a network-accessing service without realizing its runtime exposure or external dependency behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation encourages users to supply arbitrary reference audio for voice cloning without any warning about consent, impersonation, privacy, or legal restrictions. In the context of a voice-cloning service, this materially increases misuse risk by normalizing cloning from user-provided samples, which could enable non-consensual impersonation, fraud, or processing of sensitive biometric voice data.

Known Vulnerable Dependency: fastapi — 3 advisory(ies): CVE-2021-32677 (Cross-Site Request Forgery (CSRF) in FastAPI); CVE-2021-32677 (FastAPI is a web framework for building APIs with Python 3.6+ based on standard ); CVE-2024-24762 (FastAPI is a web framework for building APIs with Python 3.8+ based on standard )

High
Category
Supply Chain
Confidence
89% confidence
Finding
fastapi

Known Vulnerable Dependency: uvicorn — 4 advisory(ies): CVE-2020-7694 (Log injection in uvicorn); CVE-2020-7695 (HTTP response splitting in uvicorn); CVE-2020-7694 (This affects all versions of package uvicorn. The request logger provided by the) +1 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
uvicorn

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
86% confidence
Finding
requests

Known Vulnerable Dependency: torch — 10 advisory(ies): CVE-2025-2953 (PyTorch susceptible to local Denial of Service); CVE-2022-45907 (PyTorch vulnerable to arbitrary code execution); CVE-2025-32434 (PyTorch: `torch.load` with `weights_only=True` leads to remote code execution) +7 more

Critical
Category
Supply Chain
Confidence
93% confidence
Finding
torch

Known Vulnerable Dependency: pydantic — 4 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.) +1 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
pydantic

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.