speak-with-profile
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/speak_with_profile.pyutilizessubprocess.runto execute a secondary Python script (scripts/text_to_speech.py) and system audio utilities (open,afplay). - [COMMAND_EXECUTION]: Critical paths for execution, specifically the Python interpreter (
--python-bin) and the synthesis script path (--tts-cli-path), are exposed as CLI arguments. This exposure allows for potential arbitrary command execution if an attacker can influence the agent's parameters via indirect prompt injection. - [PROMPT_INJECTION]: The skill maintains an indirect prompt injection surface due to its reliance on external, potentially untrusted data sources.
- Ingestion points: Data is ingested from files specified via
--text-fileand--profiles-file, as well as from the default configuration filesconfig/customization.yamlandconfig/customization.template.yamlin thescripts/speak_with_profile.pyscript. - Boundary markers: The skill enforces a character limit (4096) on input text, but lacks explicit delimiters or boundary markers to distinguish between data and instructions within the speech profiles.
- Capability inventory: The skill possesses the capability to execute subprocesses and write manifest files as demonstrated in
scripts/speak_with_profile.py. - Sanitization: While profile IDs, voices, and formats are validated against pre-defined schemas, the
instructionsfield and the input text itself are not sanitized before being passed to the synthesis backend.
Audit Metadata