tts

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward text-to-speech skill that sends user-provided text to SkillBoss and saves the returned MP3 locally.

Install only if you are comfortable sending the text you provide to SkillBoss API Hub using a revocable SKILLBOSS_API_KEY. Avoid converting secrets or highly private text, choose output paths carefully, and consider refreshing the stale package-lock before npm-based use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The skill states that it generates MP3 files and prints their absolute path, but it does not clearly warn that running it will write files to local disk. This is low severity, but lack of disclosure can still cause privacy, storage, or operational issues if users assume the action is transient or do not expect local artifact creation.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal