Back to skill

Security audit

TTS AutoPlay with Wake Word

Security checks across malware telemetry and agentic risk

Overview

This looks like a real TTS autoplay skill, but it tells users to run missing PowerShell scripts with execution-policy bypass, so the local behavior cannot be verified from the package.

Review carefully before installing. Do not run the referenced PowerShell scripts unless they are actually present, from a trusted source, and inspected. Prefer tagged TTS mode over always mode, and configure explicit wake phrases to reduce accidental speech in shared or sensitive environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly instructs users to run PowerShell scripts with `-ExecutionPolicy Bypass`, which disables an important Windows safety control intended to reduce accidental execution of untrusted scripts. In the context of a downloadable skill that asks users to execute local installer and runtime scripts, this increases the chance that a tampered or malicious script will run without user scrutiny.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill advertises wake words such as "voice" and the test flow even suggests ordinary greetings like "你好", which creates ambiguity about when audio playback will occur. In a voice-output skill, broad or inconsistent triggers can cause unintended autoplay, creating privacy, nuisance, or social-engineering risks in shared or quiet environments.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The test instruction says users can start by saying "用语音回复" or just "你好", which directly contradicts the stated wake-word requirement. That inconsistency can mislead users into believing autoplay is more permissive than described, increasing the likelihood of accidental triggering or deployment with misunderstood behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation metadata instructs users to run scripts with PowerShell ExecutionPolicy Bypass, which weakens a built-in safety control and normalizes running untrusted local code without policy checks. Even though this markdown file is documentation, recommending bypass materially increases the chance that users execute malicious or modified scripts from the skill directory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start section repeats the recommendation to launch installation and runtime scripts with ExecutionPolicy Bypass, reinforcing an unsafe operational pattern. In the context of a community-distributed skill, this lowers the barrier to executing tampered PowerShell files and makes social-engineering attacks more effective.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The wake-word list includes very common single-character or everyday terms such as “念”, “读”, and “说”, which can appear in normal conversation and unintentionally enable voice playback. In a chat setting this can cause unexpected audio output, creating privacy and usability risks, especially in shared or quiet environments.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Custom wake words like “助手” are overly generic and may be triggered in ordinary references rather than explicit requests for audio playback. Because this skill auto-plays TTS, broad activators increase the chance of accidental or attacker-induced triggering, leading to unwanted speech output and potential disclosure of sensitive response content aloud.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The design proposes monitoring session history through logs or an API to detect wake words, but does not define clear user notice, consent, retention limits, or access controls. Accessing chat history for auxiliary automation expands the privacy boundary and can expose sensitive user content if logs are over-collected, improperly stored, or readable by other processes.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The low-priority wake-word list includes very broad everyday terms such as '说', '念', '读', '讲', 'audio', and 'play', which are likely to appear in ordinary conversation without the user intending audio playback. In this skill's context, that can cause unintended TTS generation and autoplay, creating privacy, nuisance, and consent issues because spoken output may occur in environments where audio is inappropriate.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The document relies on the AI to infer when to add the [[tts]] tag but does not define exclusion rules, ambiguity handling, or negative examples. In a skill that autoplays generated speech, this increases the chance of false activations, making the system speak responses unexpectedly and undermining user control over audio output.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
The sample configuration hard-codes a Chinese voice and language without mentioning user choice, consent, or localization fallback. While not a direct code execution issue, this can produce unexpected speech characteristics, reduce accessibility for some users, and weaken informed consent around how voice output is presented.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.