ClawHub

tencent-tts-podcast

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Tencent Cloud text-to-speech skill, but users should understand the cloud-processing, optional public upload, and dependency-installation caveats before use.

Install in an isolated Python environment, pin or review dependencies, and use least-privilege Tencent keys. Leave upload_cos disabled unless you intentionally want cloud storage/sharing, and treat uploaded COS audio as potentially public because the code attempts a public-read ACL. Do not process confidential text unless Tencent Cloud handling and any COS exposure are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        # Try to install
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "cos-python-sdk-v5", "-q"])
        from qcloud_cos import CosConfig, CosS3Client

    cfg = CosConfig(Region=region, SecretId=secret_id, SecretKey=secret_key)
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "cos-python-sdk-v5", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions even though it requires environment access, network connectivity, and likely shell/package-install behavior. This undermines informed consent and sandboxing because users and platforms cannot accurately assess what the skill may access or execute.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose focuses on TTS generation, but the skill also uploads outputs to Tencent COS and returns potentially public cloud URLs, with mention of automatic SDK installation. Hidden data egress and undeclared external storage materially change the trust boundary and can expose generated audio and embedded sensitive text to third parties.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The implementation goes beyond TTS generation and can upload generated audio to Tencent COS, including attempting to set the object ACL to `public-read`. This is a capability mismatch with the described skill behavior and can unexpectedly disclose generated content to external storage or public internet URLs.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Auto-installing an SDK at runtime is dangerous because it performs unreviewed code acquisition and execution outside the normal dependency management process. In a skill context, this allows network-dependent behavior and supply-chain risk unrelated to the minimum safe operation expected by users.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill asks users to supply Tencent cloud credentials directly in parameters and examples without clear secret-handling guidance. This increases the risk of accidental credential disclosure through logs, transcripts, copied prompts, or insecure storage by the hosting agent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description does not warn that provided text may be sent to Tencent Cloud TTS and optionally COS. Users may submit confidential or regulated content under the false assumption of local-only processing, creating privacy, compliance, and data residency risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill transmits user-provided text to Tencent's external TTS service without an explicit disclosure in the execution path. If users supply sensitive or proprietary text, this creates a confidentiality and privacy risk because data leaves the local environment and is processed by a third party.

Missing User Warnings

High
Confidence
98% confidence
Finding
When upload is enabled, the skill stores generated audio in Tencent COS and attempts to make it publicly readable, yet there is no explicit warning about remote retention or public exposure. This can leak podcast content, including sensitive narration, through guessable or shared URLs and broad internet access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This tool retrieves Tencent Cloud credentials and sends user-provided text to an external TTS backend, but the user-facing behavior in this file does not disclose that data leaves the local environment or that cloud secrets are used. In an agent setting, this can cause unintentional disclosure of sensitive prompts or regulated data because users may assume processing is local.

Unpinned Dependencies

Low
Category
Supply Chain
Content
tencentcloud-sdk-python>=3.0.0
cos-python-sdk-v5>=1.8.0
requests>=2.20.0
Confidence
93% confidence
Finding
tencentcloud-sdk-python>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
tencentcloud-sdk-python>=3.0.0
cos-python-sdk-v5>=1.8.0
requests>=2.20.0
Confidence
93% confidence
Finding
cos-python-sdk-v5>=1.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
tencentcloud-sdk-python>=3.0.0
cos-python-sdk-v5>=1.8.0
requests>=2.20.0
Confidence
97% confidence
Finding
requests>=2.20.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal