Trust Assessment
mac-tts received a trust score of 73/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 0 critical, 2 high, 0 medium, and 0 low severity. Key findings include Potential for Command Injection via `say` command, Potential for Command Injection via `osascript` command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential for Command Injection via `say` command The skill documentation demonstrates the use of the `say` command for text-to-speech. If the text to be spoken is derived from untrusted user input without proper sanitization, an attacker could inject arbitrary shell commands. For example, `say "Hello; rm -rf /"` could lead to data loss or system compromise. This is a common vulnerability when directly embedding user input into shell commands. Implement robust input sanitization and validation for all user-provided text before passing it to the `say` command. Ensure that shell metacharacters are properly escaped (e.g., using `shlex.quote()` in Python) or consider using a safer API that does not involve direct shell execution if available. | LLM | SKILL.md:8 | |
| HIGH | Potential for Command Injection via `osascript` command The skill documentation demonstrates the use of `osascript` to control system volume. If any part of the AppleScript string, especially parameters like the volume level, is derived from untrusted user input without proper sanitization, an attacker could inject arbitrary AppleScript or shell commands (via `do shell script`). This could lead to unauthorized system control or data exfiltration. Implement robust input sanitization and validation for all user-provided parameters before constructing `osascript` commands. Avoid direct string concatenation with untrusted input. Ensure that numerical inputs are strictly validated to be within expected ranges and types, and that no shell metacharacters can be injected into the AppleScript string. | LLM | SKILL.md:32 |
Scan History
Embed Code
[](https://skillshield.io/report/cd46e8376fb7b692)
Powered by SkillShield