Back to skill

Security audit

Smart Speak Multilingual TTS (Jaskies)

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward text-to-speech skill with normal setup and privacy cautions, not evidence of harmful behavior.

Install only if you are comfortable adding ffmpeg and edge-tts from trusted package sources. Avoid converting secrets, private business text, or personal data unless you accept that the text may be sent to an external TTS provider. Choose the output path carefully because the generated MP3 can overwrite that file, and verify the hard-coded edge-tts path works on your machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill instructs users to run shell commands and write output files, but it does not declare corresponding permissions or capabilities. This weakens transparency and policy enforcement because users and platforms are not clearly informed that the skill can invoke local tools and create files on disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes sending text to edge-tts but does not warn that synthesis may transmit user-provided content to Microsoft-operated TTS services. This creates a privacy and data-handling risk, especially if users submit sensitive, proprietary, or personal text assuming processing is fully local.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.