sherpa-onnx-tts
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads pre-compiled runtime binaries and voice models from the official k2-fsa/sherpa-onnx GitHub repository during the installation phase.
- [COMMAND_EXECUTION]: The Node.js wrapper script executes the downloaded TTS binary using child_process.spawnSync, which securely passes text as a positional argument to prevent shell injection.
- [COMMAND_EXECUTION]: The script modifies the environment's library search paths (such as LD_LIBRARY_PATH and DYLD_LIBRARY_PATH) at runtime to ensure the binary can access its required shared libraries.
Audit Metadata