Back to skill

Security audit

Qwen3-tts

Security checks across malware telemetry and agentic risk

Overview

This is a real text-to-speech skill, but its prominent offline framing does not fully match its remote HTTP modes and unauthenticated network server behavior.

Install only if you understand that this skill is not strictly offline in all modes. Keep QWEN_TTS_REMOTE unset for private local use, do not send sensitive text to remote servers, bind any server to localhost or a tightly controlled private network, and add authentication/TLS or firewall restrictions before exposing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises and documents shell execution, environment-variable usage, and automatic model downloads from Hugging Face, yet no permissions are declared. This creates a transparency and sandboxing problem: operators may treat the skill as lower-risk than it is, while the actual behavior includes command execution and outbound network access.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documentation instructs users to send TTS requests to a remote HTTP server on a LAN IP, which conflicts with the stated offline/local-only security model. This can mislead operators into transmitting text and potentially sensitive audio-related content over the network, weakening privacy assumptions and expanding the attack surface if the remote service is exposed, compromised, or misconfigured.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The server allows clients to supply an arbitrary model identifier in the request body, and that value is passed into Qwen3TTSModel.from_pretrained at runtime. This undermines the stated offline/local-only behavior and can trigger unexpected network access, unreviewed model retrieval, and loading of attacker-chosen remote artifacts, which expands the trust boundary and can lead to supply-chain or denial-of-service risks.

Description-Behavior Mismatch

Low
Confidence
85% confidence
Finding
The server binds to 0.0.0.0 by default, making the TTS service reachable from other hosts on the network rather than only from the local machine. In the context of a resource-intensive generation service, this increases exposure to unauthorized use, information leakage through submitted text, and easy denial-of-service via repeated synthesis requests.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata claims the TTS runs entirely offline after initial model download, but this script requires a remote server URL and transmits the full synthesis payload over HTTP. This mismatch can cause users to send potentially sensitive text to another host under a false privacy assumption, which is a real security and trust issue.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The docstring openly describes a remote VoiceDesign client, which conflicts with the surrounding skill description that presents the feature as local/offline Qwen TTS. That discrepancy increases the likelihood of accidental data exposure because operators may deploy or approve it under incorrect assumptions about network behavior.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The implementation and usage examples make clear this script is a remote client, contradicting the manifest's offline/local positioning. Security-relevant documentation inconsistencies are dangerous because they can bypass review expectations and lead users to expose content to a network service without informed consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as a local/offline TTS alternative, but the implementation supports sending user text and synthesis parameters to a remote server via --remote or the QWEN_TTS_REMOTE environment variable. That mismatch can mislead operators into exposing potentially sensitive text off-host when they reasonably expect fully local processing.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The network client capability is broader than expected for an 'offline local TTS' skill and can exfiltrate all spoken content, speaker selection, instructions, and model metadata to an arbitrary URL. In this context, hidden or insufficiently disclosed network behavior is more dangerous because users may route private prompts through the tool assuming local-only execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide explicitly instructs users to bind the server to 0.0.0.0 and access it remotely, but it does not warn that any reachable host on the network may send requests or that submitted text may traverse the network unencrypted. In a TTS skill, prompts may contain sensitive user content, so exposing the service without authentication, TLS, or network-scoping guidance increases risk of unauthorized use and privacy leakage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Remote mode transmits user-provided text and synthesis controls to a server without an explicit privacy warning or consent flow at the point of use. Because TTS input may contain secrets, personal data, or confidential message content, silent transmission creates a meaningful privacy and data-handling risk.

External Transmission

Medium
Category
Data Exfiltration
Content
print(f"🎙️  Voice: {voice_desc[:60]}...", file=sys.stderr)
    
    try:
        response = requests.post(
            f"{remote_url}/tts",
            json={
                "text": text,
Confidence
95% confidence
Finding
requests.post( f"{remote_url}/tts", json=

External Transmission

Medium
Category
Data Exfiltration
Content
print(f"🌐 Using remote server: {remote_url}", file=sys.stderr)
    
    try:
        response = requests.post(
            f"{remote_url}/tts",
            json={
                "text": text,
Confidence
95% confidence
Finding
requests.post( f"{remote_url}/tts", json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.