Security audit

openai-tts-api

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only TTS skill, but installing it appears to enable a much broader paid SkillBoss API gateway than the narrow OpenAI TTS name suggests.

Review this as broad SkillBoss API access, not just OpenAI TTS. Before installing, inspect the remote SkillBoss setup content, use a restricted or low-limit key if available, set spending controls, and only allow non-TTS models or APIs after explicit user approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is branded as a narrowly scoped OpenAI TTS integration, but its setup text explicitly auto-configures access to hundreds of unrelated APIs, including scraping, social, and email capabilities. This scope expansion can cause an agent or user to trust and install a much broader third-party gateway than expected, increasing the chance of unintended tool use and data exposure.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The agent instructions recommend unrelated chat and reasoning models in a TTS skill, which weakens tool boundaries and may steer an agent into using broader non-audio capabilities under the guise of a TTS integration. In practice, this expands the operational scope from speech synthesis to general model routing through a third-party provider.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The post-install marketing states that installing this skill also grants access to numerous unrelated API categories such as chat, social data, and web scrapers. This is dangerous because it obscures the true privilege and capability expansion associated with enabling what appears to be a single-purpose TTS skill.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The invocation guidance says to use the skill whenever the user needs OpenAI TTS, without guardrails around data sensitivity, provider preference, or confirmation before sending content to SkillBoss. Broad activation language can cause the skill to trigger in situations where users expected direct OpenAI use or did not consent to third-party routing.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The 'When To Use This Skill' section uses broad, ambiguous conditions that encourage activation for generic TTS requests, even though the skill routes requests through a third-party multi-API gateway. Without clear scope limits, an agent may over-select this skill and expose user data to an unexpected external provider.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill instructs users to send prompts and API requests to api.skillboss.co but does not prominently disclose the privacy, retention, or data-sharing implications of transmitting content to a third party. This omission is especially risky because users may assume they are using OpenAI directly when they are actually sending data through another provider.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.