智能配音合成虾

Security checks across malware telemetry and agentic risk

Overview

The skill is a mostly coherent voice-synthesis tool, but it unnecessarily instructs agents to print API keys, which could expose paid service credentials.

Review before installing. Do not run the documented API-key echo command; use presence-only checks for credentials. Only use this with text you are comfortable sending to ElevenLabs or OpenAI, and expect generated audio files to be written locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly tells the agent to run a shell command that echoes API key environment variables, which can expose secrets in logs, chat transcripts, or to the user. In a skill context, instructing secret material to be printed is a direct confidentiality risk and is more dangerous because the values include credentials for external services.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal