Back to skill

Security audit

Local Voice (FluidAudio TTS/STT)

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed local voice service with normal setup, background-service, and model-download risks, not evidence of malicious behavior.

Install only if you are comfortable with a background macOS user service that starts at login, listens on localhost, installs Homebrew/Swift dependencies, and may download speech models before operating locally. Review the setup script first and be prepared to unload the LaunchAgent and remove the installed files if you want to disable it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill includes shell commands that install packages, copy binaries/frameworks, modify runtime paths, and load a LaunchAgent, yet no permissions are declared. This creates an undeclared capability gap: users may believe the skill is documentation-only while it actually instructs privileged local system changes and persistence-related actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose emphasizes local TTS/STT, but the documented behavior also installs external dependencies, creates a persistent background service, exposes an HTTP API, and references wrapper behavior not fully described in the metadata. This mismatch weakens informed consent and can conceal risky operational behavior, especially persistence and network-listening components.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code calls AsrModels.downloadAndLoad(version: .v3) during STT initialization, which contradicts the stated 'entirely on-device' and local-only behavior. This introduces undeclared network access, creating privacy, supply-chain, and integrity risk because model retrieval depends on a remote source at runtime rather than exclusively local assets.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A service presented as a local voice component should not need general runtime network capability, yet downloadAndLoad adds that dependency implicitly. Even if only used for model fetches, this expands the trust boundary and attack surface, enabling unexpected outbound connections and possible remote content influence over a component that users may assume is offline-only.

Session Persistence

Medium
Category
Rogue Agent
Content
### 4. Create LaunchAgent

```bash
cat > ~/Library/LaunchAgents/com.stella.tts.plist << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
Confidence
95% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
cat > ~/Library/LaunchAgents/com.stella.tts.plist << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
Confidence
93% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
cat > ~/Library/LaunchAgents/com.stella.tts.plist << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
Confidence
93% confidence
Finding
PLIST

Session Persistence

Medium
Category
Rogue Agent
Content
cat > ~/Library/LaunchAgents/com.stella.tts.plist << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.stella.tts</string>
Confidence
93% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
<key>StandardErrorPath</key>
    <string>$HOME/.clawdbot/logs/stella-tts.err.log</string>
</dict>
</plist>
EOF

launchctl load ~/Library/LaunchAgents/com.stella.tts.plist
Confidence
91% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
</plist>
EOF

launchctl load ~/Library/LaunchAgents/com.stella.tts.plist
```

## API Endpoints
Confidence
92% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
</plist>
EOF

launchctl load ~/Library/LaunchAgents/com.stella.tts.plist
```

## API Endpoints
Confidence
92% confidence
Finding
plist

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.