tts-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's code (assets/minimax_tts.py list_voices and related functions) makes HTTP requests to the external MiniMax API (default https://api.minimax.io/v1/voice/list and other endpoints) and the documented workflow (rules/list-voices.md and SKILL.md) expects the agent to fetch and use returned voice entries — which can include user-cloned/designed voices and sample URLs (user-generated/untrusted content) that the agent reads and can influence subsequent choices (e.g., selecting voice_id for TTS).