VOICEVOX Narration System
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Command Execution] (LOW): The skill executes several local shell scripts and Python files located in hardcoded absolute paths (e.g., /Users/a003/dev/...). This creates a dependency on a specific local environment and assumes the integrity of scripts at those paths.
- [Remote Code Execution] (LOW): A command pattern was detected: curl http://127.0.0.1:50021/speakers | python -m json.tool. Although piping network content to an interpreter is a high-risk pattern, manual review confirms this is a benign use of the standard library JSON module for formatting data from a local service.
- [Indirect Prompt Injection] (LOW): The skill ingests Git commit messages to generate dialogue scripts. 1. Ingestion points: Git commit history parsed by yukkuri-narration-generator.py. 2. Boundary markers: Absent. 3. Capability inventory: Bash, Read, Write, Grep, Glob. 4. Sanitization: None documented. This surface allows an attacker with commit access to potentially influence the agent's dialogue generation output.
Recommendations
- HIGH: Downloads and executes remote code from: http://127.0.0.1:50021/speakers - DO NOT USE without thorough review
Audit Metadata