text-to-speech

The skill is a documentation/integration wrapper that instructs users to install and use the inference.sh CLI to run hosted TTS models. The primary security concerns are supply-chain and credential risks from the installer pattern (curl | sh) and from handing credentials to a third-party binary. Functionally, the capabilities align with the stated purpose (TTS, voice cloning, long-form audio) and the use of a hosted inference service is expected for this functionality. There is no direct evidence in the provided text of intentionally malicious code (no hardcoded keys, no obfuscated payloads, no inlined network exfiltration instructions). However, the download-and-execute install pattern and the requirement to log in to a third-party CLI justify a medium security risk rating: the distribution and authentication flows are plausible attack vectors if the infrastructure is compromised. Recommend: avoid piping remote scripts into sh; verify checksums before executing; prefer installing from package managers or providing explicit checksum verification steps; review where and how the CLI stores credentials before use.