Deepdub TTS

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: it sends text to Deepdub to create an audio file, with disclosed setup requirements and no hidden persistence found.

Install only if you are comfortable sending synthesized text to Deepdub. Use your own Deepdub API key and voice prompt ID for private or production use, avoid sensitive text with the shared trial credentials, and consider pinning the Deepdub SDK version in managed environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill documentation publishes shared trial credentials and encourages their use without clear warnings about privacy, logging, cross-tenant access, or ownership of generated content. Users may unknowingly send sensitive text through a common account, exposing prompts, usage history, or quota to unrelated parties and normalizing insecure credential handling.

Unpinned Dependencies

Low

Category: Supply Chain
Content: deepdub
Confidence: 96% confidence
Finding: deepdub

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal