windows-tts
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The script
scripts/say.shconstructs a PowerShell command string by concatenating variables likeVOICEandTEXTdirectly into a script block. While it attempts to escape double quotes usingsed 's/"/"/g', it fails to sanitize other PowerShell control characters such as backticks (````), semicolons (;), or subexpression syntax ($()). An attacker providing a payload like"); Start-Process calc; #would successfully break out of theSpeak()method and execute arbitrary code on the Windows host. - [Indirect Prompt Injection] (HIGH): As a TTS skill, this tool is designed to process text which often originates from untrusted external sources (e.g., website content, emails, or chat messages). Because the skill lacks a security boundary or robust sanitization (Category 8), any malicious instructions embedded in processed data can trigger the Command Execution vulnerability mentioned above.
- Ingestion points: The
TEXTargument inscripts/say.sh(derived from agent context). - Boundary markers: None. The input is interpolated directly into a string template.
- Capability inventory: Direct execution of
powershell.exewith access to the host Windows environment. - Sanitization: Insufficient; only escapes double quotes, leaving multiple other injection vectors open.
Recommendations
- AI detected serious security threats
Audit Metadata