voice
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The
speak.shscript evaluates thePOCKET_TTS_PLAYERenvironment variable without shell quoting. While intended to allow for command-line arguments (e.g., flags for a media player), this creates a vector for command injection if the environment variable is set to a malicious string. - [EXTERNAL_DOWNLOADS]: The skill's documentation and behavior indicate that it downloads external model and voice assets during its initial execution.
- [COMMAND_EXECUTION]: The script initiates a background server process using
nohupwhen 'voice mode' is enabled, which persists in the system's background until explicitly stopped or the environment is reset.
Audit Metadata