pocket-tts

The provided documentation and examples for pocket-tts describe legitimate local TTS usage but expose a few noteworthy supply-chain and runtime risks. The highest-risk behavior is per-request arbitrary voice_url fetching (http/https/hf://) which can cause server-side outbound network access controlled by requesters — this enables SSRF, retrieval of untrusted model/audio artifacts, and increases attack surface for crafted inputs. Additional concerns: lack of documented authentication or binding restrictions, no integrity or provenance checks for remote voices, and unpinned installer instructions. No direct evidence of malware or obfuscated/backdoor code is present in this fragment, but operators should apply mitigations: restrict server binding to loopback, require authenticated or vetted voice sources, validate and sandbox fetched content, and prefer pinned package installs. Overall risk stems from operational configuration and untrusted remote fetches rather than explicit malicious code.