ClawHub

Togetherai Tts

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends user-provided text to TogetherAI to generate an audio file, with ordinary privacy and file-path cautions.

Install only if you are comfortable sending the text you synthesize to TogetherAI under that service's terms. Use a scoped or low-risk API key if possible, keep .env private, and choose an output filename in a safe working directory so you do not overwrite an important file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation tells users how to run the text-to-speech skill and configure API credentials, but it does not warn that provided text is transmitted to the TogetherAI service. This can cause users to unknowingly send sensitive or regulated content to a third-party API and may lead to privacy, compliance, or data-handling issues.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends arbitrary input text directly to a third-party TTS service, which can expose sensitive or regulated data if users pass secrets, personal information, or confidential content. There is no notice, consent flow, redaction step, or policy enforcement in the code, so privacy risk depends entirely on caller behavior and external service handling.

External Transmission

Medium
Category
Data Exfiltration
Content
async function generateTTS(text, outputFile) {
  try {
    const response = await axios.post(
      'https://api.together.ai/v1/audio/speech',
      {
        text,
        model,
Confidence
87% confidence
Finding
https://api.together.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal