Skills
skills/indiemakergo/ai-automation/tts/Gen Agent Trust Hub

tts

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill contains a path traversal vulnerability in its file-writing logic. In scripts/cli.mjs, the ttsBySpeaker function resolves the output file path using the speaker variable without sanitization. A malicious input for the speaker name could be used to write files to arbitrary locations on the host system.
  • [COMMAND_EXECUTION]: The skill executes shell commands using the zx library. This includes running npm install during the initialization phase and ffmpeg within scripts/verify.mjs to perform audio validation.
  • [EXTERNAL_DOWNLOADS]: The skill relies on external network resources. The init command triggers an npm install, which downloads packages from the public NPM registry. Additionally, the skill communicates with api.fish.audio and dashscope.aliyuncs.com (an established service by Alibaba Cloud) to generate audio content.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 01:48 PM