smart-tts

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward text-to-speech helper that uses a DashScope API key to generate local WAV audio files, with no evidence of hidden or unrelated behavior.

Install only if you are comfortable using DashScope for the text you synthesize. Use a limited-purpose API key, install the dashscope SDK from a trusted source, and move or rename generated WAV files if you need to keep older outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation instructs users to set an API key in the environment and references local file output, which indicates access to sensitive environment data and filesystem operations without any declared permissions. This is dangerous because users and hosting platforms cannot accurately assess or constrain what the skill needs, increasing the chance of over-privileged execution and accidental exposure of secrets or local data.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill states that generated audio is automatically saved to a local path, but it does not clearly warn users before writing to disk or explain overwrite/retention behavior. This can lead to unexpected local file creation, privacy issues if synthesized content is sensitive, and confusion about where data is stored.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal