sherpa-onnx-tts
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches official pre-compiled binaries and voice models from the k2-fsa/sherpa-onnx repository on GitHub during the installation process.
- [COMMAND_EXECUTION]: The Node.js wrapper script in bin/sherpa-onnx-tts executes the downloaded binary using spawnSync. The implementation passes arguments as an array, which correctly prevents shell injection vulnerabilities.
- [COMMAND_EXECUTION]: The script dynamically updates environment variables (LD_LIBRARY_PATH, DYLD_LIBRARY_PATH, and PATH) to include the local runtime directory, ensuring the binary can correctly load its required shared libraries from the downloaded folder.
Audit Metadata