Back to skill

Security audit

Voice Reply

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate local text-to-speech tool, but its installer uses privileged system installation and unsigned downloaded binaries, so it should be reviewed before use.

Install only if you trust the publisher and the upstream sherpa-onnx release source. Review the install script first, consider verifying downloaded release checksums yourself, and avoid running the privileged installer on systems where unverified binaries under /opt would be unacceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises shell-based installation and execution behavior but does not declare corresponding permissions or operational capabilities. This creates a transparency and policy gap: a host may route or approve the skill without understanding it invokes local binaries and shell commands, increasing the chance of unexpected command execution in a broader agent environment.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README suggests activation phrases like "Reply with a voice message" and "Say that as audio," which are broad natural-language requests a user might say in ordinary conversation. In assistant ecosystems that route skills from free-form text, overly generic invocation examples can encourage ambiguous triggering, causing this skill to activate when the user did not specifically intend to use it.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The invocation text is very broad ('voice reply', 'audio response', 'wants to hear something read aloud'), which can cause the skill to activate for many ordinary requests. Over-broad routing is dangerous because it may transform or externalize user content unexpectedly, especially when the skill executes local tooling and writes media files.

Natural-Language Policy Violations

Medium
Confidence
72% confidence
Finding
Automatic language selection without explicit user choice can lead to unintended processing behavior and incorrect voice/model selection. In an agent setting, implicit decisions about content handling are risky because they reduce user control and can mis-handle sensitive or mixed-language text.

External Transmission

Medium
Category
Data Exfiltration
Content
mkdir -p "$SHERPA_DIR"
    cd "$SHERPA_DIR"
    echo "Downloading sherpa-onnx $SHERPA_VERSION..."
    curl -L -o sherpa.tar.bz2 "https://github.com/k2-fsa/sherpa-onnx/releases/download/${SHERPA_VERSION}/sherpa-onnx-${SHERPA_VERSION}-linux-x64-shared.tar.bz2"
    echo "Extracting..."
    tar -xjf sherpa.tar.bz2 --strip-components=1
    rm sherpa.tar.bz2
Confidence
90% confidence
Finding
curl -L -o sherpa.tar.bz2 "https://github.com/k2-fsa/sherpa-onnx/releases/download/${SHERPA_VERSION}/sherpa-onnx-${SHERPA_VERSION}-linux-x64-shared.tar.bz2" echo "Extracting..." tar -xjf sherp

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.