Security audit

gtts

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward gTTS text-to-speech guide, with the main caveat that user text is processed by Google's online service.

Use this for non-sensitive text-to-speech work. Avoid submitting secrets, private messages, confidential documents, or regulated personal data unless you are comfortable with that text being processed by Google's service; choose an offline TTS tool for privacy-sensitive use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that gTTS uses Google's Text-to-Speech API and requires internet, but it does not clearly warn that user-provided text is transmitted to a third-party service. This can expose sensitive or regulated content if users assume processing is local, especially in workflows involving private documents, notes, or proprietary text.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal