Skills
skills/terrylica/cc-skills/voice-quality-audition/Gen Agent Trust Hub

voice-quality-audition

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local shell scripts including tts_kokoro_audition.sh and kokoro-install.sh via the Bash tool. These scripts are not part of the skill package and their integrity cannot be verified.
  • [DATA_EXFILTRATION]: The skill reads from the system clipboard using the pbpaste command. This presents a data exposure risk as the clipboard may contain sensitive information such as passwords, private keys, or personal data that is then processed by the TTS engine.
  • [EXTERNAL_DOWNLOADS]: The kokoro-install.sh script is described as having --install and --upgrade capabilities, which typically involve downloading software packages and voice models from remote, unverified sources.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the clipboard content it processes.
  • Ingestion points: System clipboard data captured via pbpaste in SKILL.md.
  • Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded commands within the clipboard text.
  • Capability inventory: The skill possesses Bash, Read, and Glob tools, providing a significant attack surface if malicious instructions are processed.
  • Sanitization: Absent; no sanitization or validation of the clipboard content is performed before it is passed to shell scripts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 07:04 AM