Cast

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Typecast text-to-speech helper with normal cautions around an external CLI, API key use, and sending text to a cloud service.

Install only if you trust the external Typecast CLI and are comfortable using a Typecast API key. Avoid submitting secrets, private documents, or regulated data unless Typecast's handling terms are acceptable, and remove or protect ~/.typecast/config.yaml when you no longer need stored credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill exposes a cloud TTS CLI that necessarily transmits user-provided text to a remote service and supports local credential storage, but the documentation does not clearly warn users about either behavior. This can lead users to paste sensitive content or assume processing is purely local, creating avoidable privacy and credential-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal