Snowvoice Tts

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local text-to-speech skill, but its setup can run an unverified installer from a mutable GitHub repository and it lacks clear safeguards for voice cloning use.

Install only if you trust the SnowVoice Studio upstream project and are comfortable with an agent running its installer locally. Before setup, review the upstream install.sh, confirm the install path, expect large persistent model files, and use voice cloning only with authorization from the voice owner.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill clearly instructs the agent to run shell commands for environment setup, model download, and TTS execution, yet no permissions are declared. This creates a trust and control gap: the agent may execute local commands, clone repositories, create virtual environments, and download large artifacts without explicit user-visible authorization boundaries.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The init script performs remote repository cloning, executes a downloaded installer script, and downloads large models, which materially changes the local system beyond simple TTS operation. In a skill context, this expands the trust boundary to third-party remote content and creates supply-chain risk if the repository or installer is compromised.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The trigger phrases are common natural-language requests such as converting text to speech or reading text aloud, without constraints that limit when the skill should activate. Overbroad triggers can cause unintended invocation, leading the agent to initiate shell-based setup or synthesis workflows in contexts where the user did not explicitly ask to use this particular tool.

Missing User Warnings

High

Confidence: 92% confidence
Finding: The skill advertises voice cloning and persona-based synthesis but provides no warning about consent, impersonation, or privacy risks. In this context, omission is dangerous because users may clone or generate voices of real people without authorization, enabling fraud, harassment, or misuse of biometric voice data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script clones a remote repository and then directly executes its install.sh without any integrity verification or explicit confirmation at the execution point. If the upstream repository is compromised or altered, this becomes arbitrary code execution on the host under the current user's privileges.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal