Local Llama TTS

The `scripts/tts-local.sh` script is vulnerable to shell injection. The `$SPEAKER_PARAM` variable is constructed using user-supplied input (the speaker file path) and then expanded unquoted in the final `llama-tts` command. This allows an attacker to inject arbitrary shell commands by providing specially crafted input to the `-s` or `--speaker` option, leading to potential remote code execution if the agent executes this skill with untrusted input.