Security audit

Edge TTS CN

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward text-to-speech skill, with ordinary setup and privacy caveats for an online TTS tool.

Install only if you are comfortable with npm dependencies and with selected text being sent to an online TTS provider. Be aware that the converter may omit standalone trigger words like 'tts' from the generated audio, and review ~/.tts-config.json if you use persistent voice, proxy, or output preferences.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The script silently alters user-provided content by removing words like 'tts' and 'text-to-speech' before synthesis, while presenting itself as a faithful text-to-speech converter. This creates an integrity issue: downstream users may rely on the audio as an accurate rendering of the original text, but the generated output can omit meaningful terms without explicit consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.