AI语音合成TTS - 聚合数据

Security checks across malware telemetry and agentic risk

Overview

This skill coherently turns user-provided text into speech through Juhe's API, with normal privacy and API-key considerations for an external TTS service.

Install only if you are comfortable sharing the text you synthesize with Juhe and using a Juhe API key. Use a dedicated key if possible, avoid command-line key exposure on shared systems, do not synthesize secrets or sensitive personal data, and be careful when using --file or choosing an output path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The description includes broad example triggers like converting arbitrary text to speech without clear activation boundaries, which can cause the agent to invoke this skill on loosely related user requests. Over-broad routing increases the chance that sensitive or unintended text gets sent to the external TTS provider unnecessarily.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that user-provided text is sent to the Juhe third-party TTS API, but it does not prominently warn that submitted content leaves the local environment and is processed by an external service. This creates a privacy risk because users may unknowingly submit confidential, personal, or regulated text to a third party.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal