Back to plugin

Security audit

Cartesia Speech

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward Cartesia text-to-speech plugin; it uses a Cartesia API key, sends text to Cartesia for speech generation, and runs ffmpeg for audio conversion, all of which are disclosed and purpose-aligned.

Install only if you are comfortable sending TTS text to Cartesia, using a Cartesia API key, and running a trusted local ffmpeg binary for voice notes. Keep the default Cartesia endpoint unless you trust an alternative, store the API key securely, and enable suppressDuplicateText only if you want voice-only replies.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/speech-provider.js:36
Evidence
apiKey: [REDACTED](cfg.apiKey),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
README.md:77
Evidence
export CARTESIA_API_KEY=[REDACTED]