Skills
skills/elizaos/eliza/sherpa-onnx-tts/Gen Agent Trust Hub

sherpa-onnx-tts

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads platform-specific executable binaries and shared libraries from https://github.com/k2-fsa/sherpa-onnx. As this organization is not on the trusted list, these downloads are considered unverifiable and high-risk.
  • [COMMAND_EXECUTION] (HIGH): The bin/sherpa-onnx-tts script uses spawnSync to execute the downloaded sherpa-onnx-offline-tts binary. Executing binaries from untrusted external sources poses a significant security risk of arbitrary code execution.
  • [DYNAMIC_EXECUTION] (MEDIUM): The script dynamically modifies critical environment variables (LD_LIBRARY_PATH, DYLD_LIBRARY_PATH, and PATH) to point to the downloaded directories. This is used to force the loading of downloaded shared libraries at runtime.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The script ingests user-provided text through command line arguments and interpolates it directly into the binary execution command. While typically benign for TTS, it represents an unvalidated data ingestion surface.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 06:11 PM