ClawHub

Qwen3-TTS VoiceDesign

Security checks across malware telemetry and agentic risk

Overview

This TTS skill appears to do what it says, but its network-facing default server and unsafe setup/persistence guidance should be reviewed before installation.

Install only if you are comfortable running and administering a local TTS server. Prefer binding TTS_HOST to 127.0.0.1, avoid exposing the port without authentication and firewall controls, do not use the highest-privilege scheduled-task example, and treat the .env file as trusted executable shell input unless the loader is changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The start path sources the .env file directly in the shell, so any shell syntax placed in that file will execute with the user's privileges when the service is started. A .env file should be treated as data, not code; in this TTS setup context, loading configuration does not require arbitrary shell execution, so this exceeds expected capability and creates a real code-execution risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill defaults the server bind address to 0.0.0.0 and documents plain HTTP access, which can expose the TTS service to the local network or broader internet if port forwarding, cloud security groups, or host firewall rules permit it. Even if the service is 'just TTS,' unauthenticated exposure can leak submitted text, enable misuse of compute resources, and create a foothold if the underlying server stack has vulnerabilities.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal