text2speech
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The Node.js wrapper (index.js) and post-install script (scripts/postinstall.js) use spawn to execute pip with the --break-system-packages flag. This bypasses PEP 668 protections intended to prevent external tools from modifying the system Python environment, creating a risk of system corruption.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill triggers remote code execution by installing packages directly from a non-whitelisted GitHub repository (CatfishW/TTSAgentSkill) during setup.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill performs unauthenticated downloads of Python dependencies and source code during the installation process.
- [DATA_EXFILTRATION] (LOW): The skill transmits user-provided text to a third-party API (mc.agaii.org). While expected for TTS functionality, this is an external domain not in the trusted scope.
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to indirect prompt injection (Category 8). 1. Ingestion points: text, description, and instruction arguments in SKILL.md. 2. Boundary markers: None identified. 3. Capability inventory: Network access via requests, file writing for audio output, and process execution via the Node wrapper. 4. Sanitization: No sanitization or validation of input text is performed before processing.
Recommendations
- AI detected serious security threats
Audit Metadata