Back to skill

Security audit

MOSS TTSD 多人对话合成

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MOSI Studio dialogue-to-speech helper, but users should expect their dialogue text to be sent to MOSI’s API.

Install only if you are comfortable sending the dialogue text and speaker IDs you provide to MOSI Studio for processing. Keep MOSI_TTS_API_KEY private, prefer the environment variable over passing --api-key on the command line, and review the separate Feishu helper before using the optional voice-message workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends user-supplied dialogue text and speaker IDs to a third-party remote API, but it does not clearly disclose that potentially sensitive content will leave the local environment. In an agent-skill context, users may assume processing is local, so undisclosed outbound transmission can cause privacy, compliance, or confidentiality issues if private conversations or identifiers are submitted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.