sherpa-onnx-tts
Warn
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads pre-compiled binary runtimes and data models from the k2-fsa/sherpa-onnx GitHub repository during its installation phase.
- [REMOTE_CODE_EXECUTION]: The script in bin/sherpa-onnx-tts executes the downloaded sherpa-onnx-offline-tts binary using spawnSync. Executing external binaries downloaded at runtime is a high-privilege action.
- [DYNAMIC_EXECUTION]: The skill manipulates sensitive environment variables such as LD_LIBRARY_PATH, DYLD_LIBRARY_PATH, and PATH at runtime to ensure the downloaded binary can locate and load its required shared libraries.
- [COMMAND_EXECUTION]: The skill takes user-supplied text and passes it as a command-line argument to the spawned binary. Although it uses an argument array which provides some protection against shell injection, it still executes commands based on external input.
Audit Metadata