Trust Assessment
chichi-speech received a trust score of 36/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 3 high, 2 medium, and 1 low severity. Key findings include Suspicious import: requests, Potential data exfiltration: file read + network send, Unpinned Python dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Direct Prompt Injection via User Input The skill directly passes user-controlled input to the underlying Large Language Model (LLM) without apparent sanitization or validation. Specifically, the `request.text` from the `/synthesize` API endpoint and the `REF_TEXT` variable (set via the `--ref-text` CLI argument) are fed directly into the `Qwen3TTSModel`. As Qwen3 is an LLM, this allows an attacker to inject malicious instructions, manipulate the model's behavior, or potentially extract sensitive information from the model's context. Implement robust input validation and sanitization for all user-provided text inputs before passing them to the LLM. Consider using prompt templating or LLM-specific input filtering mechanisms to strictly separate user content from model instructions. For `REF_TEXT`, ensure it is treated purely as content for voice cloning, not as an instruction. | LLM | src/chichi_speech/server.py:67 | |
| HIGH | Potential data exfiltration: file read + network send Function 'main' reads files and sends data over the network. This may indicate data exfiltration. Review this function to ensure file contents are not being sent to external servers. | Static | skills/hudeven/chichi-speech/src/chichi_speech/client.py:27 | |
| HIGH | Server-Side Request Forgery (SSRF) via User-Provided Audio URL The `REF_AUDIO` parameter, which can be set via the `--ref-audio` command-line argument, accepts arbitrary URLs. The `Qwen3TTSModel` is expected to fetch content from this URL to create a voice clone prompt. If the provided URL is not properly validated, an attacker could supply an internal network address (e.g., `http://localhost/admin` or `file:///etc/passwd`), causing the server to make requests to internal resources or local files. This could lead to information disclosure, access to sensitive internal services, or other network-based attacks. Implement strict URL validation for `REF_AUDIO`. Only allow trusted domains or specific protocols (e.g., `https`). If local file paths are intended, ensure they are canonicalized and restricted to a safe, non-sensitive directory using a whitelist approach. | LLM | src/chichi_speech/server.py:103 | |
| HIGH | Unpinned Critical Dependencies The `pyproject.toml` file specifies several critical dependencies, including `qwen-tts`, `fastapi`, `uvicorn`, and `torch`, without pinning them to exact versions. This allows for automatic updates to potentially incompatible or vulnerable versions, introducing instability or security flaws without explicit review. `qwen-tts` is particularly critical as it is the core model library. Pin all production dependencies to exact versions (e.g., `qwen-tts==X.Y.Z`). Use a dependency lock file (e.g., `poetry.lock` or `pip freeze > requirements.txt`) to ensure deterministic builds across environments. Regularly review and update dependencies to incorporate security patches. | LLM | pyproject.toml:7 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/hudeven/chichi-speech/src/chichi_speech/client.py:3 | |
| MEDIUM | Unpinned Python dependency version Dependency 'fastapi' is not pinned to an exact version. Pin Python dependencies with exact versions where feasible. | Dependencies | skills/hudeven/chichi-speech/pyproject.toml | |
| LOW | Information Disclosure via Error Messages The `/synthesize` endpoint's exception handler uses `traceback.print_exc()` to print full stack traces to standard error. If this output is exposed to the client or external logs, it can reveal sensitive internal system details, file paths, and code structure, which could aid an attacker in understanding the system's vulnerabilities. Replace `traceback.print_exc()` with a more controlled logging mechanism. For client responses, return generic error messages (e.g., 'Internal Server Error') and log detailed exceptions internally for debugging purposes, ensuring sensitive information is not exposed to external users. | LLM | src/chichi_speech/server.py:79 |
Scan History
Embed Code
[](https://skillshield.io/report/35ce2d3a543adcf7)
Powered by SkillShield