Voice

This skill appears to do what it says (edge-tts TTS + playback), but the implementation builds and executes shell command strings with user-provided text. That creates a real command-injection risk: a maliciously crafted input could execute arbitrary shell commands on the host. Before installing or enabling this skill in sensitive environments, consider the following: - Do not run it on production systems or hosts with sensitive data until reviewed or sandboxed. - Inspect and/or modify the code to avoid exec with a concatenated command string. Safer alternatives: - Use child_process.spawn with an argument array (no shell) or spawnFile so the text is passed as an argument rather than interpolated into a shell command. - Or call the Python API (edge-tts package) from a subprocess with structured arguments or via an RPC/worker, avoiding shell interpolation. - Properly escape or validate user text (but escaping is easy to get wrong; prefer avoiding the shell entirely). - Consider changing the temp directory to a skill-local, non-shared path and ensure it cannot traverse outside the skill folder. The code currently writes to path.join(__dirname, '..', '..', 'temp'), which may be broader than expected. - Avoid running the 'install' action automatically; perform dependency installation manually in a controlled environment. If you are not able to patch the code, run the skill only in an isolated sandbox or container and avoid giving it access to sensitive files or credentials.