Skills
skills/notedit/happy-skills/tts-skill/Gen Agent Trust Hub

tts-skill

Pass

Audited by Gen Agent Trust Hub on Feb 15, 2026

Risk Level: LOWPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • Prompt Injection (LOW): The text-to-audio and voice-design functions ingest untrusted text data that supports SSML (Speech Synthesis Markup Language) tags. Ingestion points: text parameter in text_to_audio and prompt/preview_text in voice_design. Boundary markers: None identified in documentation. Capability inventory: Performs network requests via requests and writes files to output_path. Sanitization: No sanitization is mentioned. Malicious input could use SSML to manipulate output audio characteristics.
  • External Downloads (LOW): The setup.md file recommends installing the requests library via pip without specifying a version, which is an unverifiable dependency practice.
  • Data Exfiltration (LOW): The skill connects to api.minimax.io, a domain not present on the standard whitelist.
  • Data Exposure (INFO): The documentation advises users to store their MINIMAX_API_KEY in plain text within shell configuration files (.zshrc, .bashrc), which is a common but sub-optimal security practice.
Audit Metadata
Risk Level
LOW
Analyzed
Feb 15, 2026, 09:41 PM