sherpa-onnx-tts

The skill enables a legitimate local TTS workflow using sherpa-onnx offline assets. The core concern is the download-and-extract of unverifiable binaries from GitHub without explicit verification (signatures/checksums). This creates a non-trivial supply-chain risk and warrants elevated security caution (securityRisk at least 0.7). Otherwise, the data flows are confined to local machine inputs and outputs with no credential handling or external exfiltration detected. Recommend adding explicit integrity checks (signatures/checksums, pinned hashes) and repository-verifiable provenance for the binaries before lowering risk.