Back to skill

Security audit

Voice

Security checks across malware telemetry and agentic risk

Overview

This voice skill is broadly consistent with text-to-speech use, but its normal inputs can reach shell and system playback commands, so users should review it before installing.

Install only if you trust the publisher and can tolerate Review-level risk. Do not pass secrets, private messages, credentials, or untrusted text/options to this skill until it uses safe argument-array execution, constrains playback and output paths, pins dependencies, and clearly discloses external TTS processing and file retention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill exposes a generic `play` action that accepts an arbitrary `filePath` and passes it to OS-native media players, allowing callers to trigger playback of any locally accessible audio file rather than only TTS output generated by the skill. In a voice/TTS skill, this broadens capability beyond the stated purpose and can be abused to access or use local resources unexpectedly, especially if the host environment treats skills as lower-trust components.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The `install` action executes `pip3 install edge-tts` through a shell command at runtime, giving the skill the ability to modify the host environment and fetch code from external package sources. This exceeds normal TTS functionality and creates supply-chain and environment-integrity risk, especially if the action can be triggered remotely or without explicit operator approval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documentation describes using Microsoft's Edge TTS engine but does not clearly warn users that the provided text is transmitted to an external service for synthesis. This creates a privacy and data-handling risk because users may submit sensitive text under the assumption processing is local, especially in an assistant/agent context where prompts can contain secrets or personal data.

Natural-Language Policy Violations

Low
Confidence
78% confidence
Finding
Setting a Chinese voice as the default is not inherently dangerous, but doing so without documenting the choice or requiring user selection can create unexpected behavior, confusion, or trust concerns for users expecting a locale-appropriate default. In a voice skill, undocumented defaults matter because they affect user experience and may obscure that outbound cloud synthesis settings are being applied automatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatic dependency installation occurs with no user-facing warning, confirmation, or privilege boundary, so a normal skill invocation can cause network access and package installation on the host. Even though the command is fixed, silent installation is risky because it changes system state and may pull unpinned third-party code unexpectedly.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "zhaov1976",
  "license": "MIT",
  "dependencies": {
    "edge-tts": "^1.0.0"
  }
}
Confidence
92% confidence
Finding
"edge-tts": "^1.0.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
index.js:111