Back to skill

Security audit

Edge TTS CN

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward text-to-speech skill, with ordinary setup and privacy caveats for an online TTS tool.

Install only if you are comfortable with npm dependencies and with selected text being sent to an online TTS provider. Be aware that the converter may omit standalone trigger words like 'tts' from the generated audio, and review ~/.tts-config.json if you use persistent voice, proxy, or output preferences.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The script silently alters user-provided content by removing words like 'tts' and 'text-to-speech' before synthesis, while presenting itself as a faithful text-to-speech converter. This creates an integrity issue: downstream users may rely on the audio as an accurate rendering of the original text, but the generated output can omit meaningful terms without explicit consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.