iFlytek Ultra-Realistic TTS

This skill appears to implement the claimed iFlytek TTS functionality, but there are two issues you should consider before installing or using it: 1) Metadata mismatch — The registry entry claims no required environment variables, but SKILL.md and the bundled script require XFYUN_APP_ID, XFYUN_API_KEY, and XFYUN_API_SECRET. Do not provide sensitive credentials unless you trust the publisher. Ask the maintainer to fix the metadata so the required secrets are visible up front. 2) Insecure TLS — The Python WebSocket client in scripts/tts.py explicitly disables TLS certificate verification (check_hostname=False and verify_mode=ssl.CERT_NONE). This can enable man-in-the-middle attacks that could capture your API keys or audio data. Request a version that validates certificates, or run the script only in a controlled environment or over a trusted network. Prefer using an official SDK or a verified client that performs proper TLS validation. Other suggestions: - Verify the endpoint host and that it matches the official provider; confirm the code hasn’t been tampered with (no homepage/source is provided). - Inspect the remainder of scripts/tts.py (file was truncated in the listing) to ensure there is no hidden data exfiltration or logging of secrets. - Limit the API key permissions (use least privilege) and consider creating a dedicated test account/keys for evaluation. Given these issues, treat the skill with caution. The problems look like sloppy or risky engineering rather than clear malicious intent, but they are serious enough to delay use until corrected.