qwen3-tts
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill instructions in
references/finetuning.mdrequire cloning a repository from an untrusted source (github.com/QwenLM/Qwen3-TTS) and executing local Python scripts (prepare_data.py,sft_12hz.py) within that repository. - [COMMAND_EXECUTION] (HIGH): The skill documentation in
SKILL.mdprovides commands to launch a Gradio web service usingqwen-tts-demowith the--ip 0.0.0.0flag. This binds the service to all network interfaces, potentially exposing the host system and the agent's capabilities to unauthorized network access. - [EXTERNAL_DOWNLOADS] (MEDIUM): The environment setup requires installing packages (
qwen-tts,flash-attn) from external registries. While standard, these are not from the specified trusted organizations. - [DYNAMIC_EXECUTION] (MEDIUM): The command
pip install -U flash-attn --no-build-isolationtriggers runtime compilation of C++/CUDA code, which is a form of dynamic execution of untrusted build instructions. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill ingests untrusted text data via
textandinstructparameters ingenerate_custom_voiceandgenerate_voice_designmethods. - Ingestion points:
text,instruct, andref_textparameters inSKILL.mdandreferences/api_reference.md. - Boundary markers: Absent; instructions are directly interpolated into model inputs.
- Capability inventory: Subprocess calls for Gradio demo (
qwen-tts-demo) and fine-tuning scripts; file-write viasf.write. - Sanitization: No evidence of input sanitization or filtering for the instructions provided to the TTS models.
Recommendations
- AI detected serious security threats
Audit Metadata