ClawHub
Back to skill

Security audit

Telnyx Tts

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Telnyx text-to-speech helper, with expected cloud API use and local audio output.

Install this if you are comfortable sending the text you provide to Telnyx for speech generation. Do not use it for secrets, regulated data, or private content unless that third-party processing is acceptable, and choose the output file path carefully because the script can create or overwrite files your user account can write.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill metadata declares an environment variable requirement (`TELNYX_API_KEY`) but does not declare corresponding permissions, creating a mismatch between documented capabilities and permission signaling. This can weaken review and policy enforcement by obscuring that the skill depends on sensitive secret material, even though the skill’s purpose legitimately requires an API key.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The usage and description explain text-to-speech conversion but omit a clear warning that user-provided text is transmitted to Telnyx, a third-party external API, and that generated audio is written to a local file. This can cause unintentional disclosure of sensitive input or persistence of sensitive output on disk when users assume processing is local or ephemeral.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends arbitrary input text to Telnyx over a network connection without any explicit warning, confirmation, or disclosure at the point of use. In a skill ecosystem, users may reasonably assume local processing, so sensitive prompts, secrets, or personal data could be unintentionally disclosed to a third-party service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal