sherpa-onnx-tts
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's configuration downloads pre-compiled runtimes and speech models from a third-party GitHub repository ('k2-fsa/sherpa-onnx') that is not on the trusted vendors list.
- [REMOTE_CODE_EXECUTION]: The skill downloads and runs an external executable binary ('sherpa-onnx-offline-tts') on the host system, which could be exploited if the remote source is compromised.
- [COMMAND_EXECUTION]: The wrapper script 'bin/sherpa-onnx-tts' uses 'node:child_process.spawnSync' to execute the downloaded binary with arguments derived from environment variables and user-supplied text.
- [DYNAMIC_EXECUTION]: The wrapper script modifies system-level library paths ('LD_LIBRARY_PATH' on Linux, 'DYLD_LIBRARY_PATH' on macOS, and 'PATH' on Windows) to point to the downloaded runtime directory, which forces the system to load shared libraries from a non-standard, externally-sourced path.
Recommendations
- AI detected serious security threats
Audit Metadata