Trust Assessment
mlx-audio-server received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 2 critical, 3 high, 0 medium, and 0 low severity. Key findings include Installation from untrusted Homebrew tap, Command Injection via `ffmpeg` audio path, Command Injection via `mkdir` output directory.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via `ffmpeg` audio path The `run_stt.sh` script directly interpolates the user-provided `audio` variable into an `ffmpeg` command without proper sanitization or escaping. An attacker can craft a malicious `audio` path (e.g., `"; rm -rf /; "`) to execute arbitrary shell commands on the system where the skill is run. Sanitize or validate user input before using it in shell commands. For file paths, use functions like `realpath` or ensure the path does not contain shell metacharacters. Consider using `printf %q` for robust quoting if the input must be passed as a shell argument. | LLM | run_stt.sh:11 | |
| CRITICAL | Command Injection via `mkdir` output directory The `run_tts.sh` script directly interpolates the user-provided `outdir` variable into a `mkdir -p` command. An attacker can craft a malicious `outdir` value (e.g., `"; rm -rf /; "`) to execute arbitrary shell commands on the system. Sanitize or validate user input before using it in shell commands. For directory paths, ensure the path does not contain shell metacharacters and ideally resolve it to an absolute, safe path. | LLM | run_tts.sh:6 | |
| HIGH | Installation from untrusted Homebrew tap The `install.sh` script installs a Homebrew formula from `guoqiao/tap/mlx-audio-server`. Relying on custom, potentially unverified Homebrew taps introduces a significant supply chain risk. If the `guoqiao/homebrew-tap` repository is compromised, malicious code could be injected into the `mlx-audio-server` formula, leading to arbitrary code execution on the user's system during installation. Avoid installing from untrusted or unverified third-party repositories. If absolutely necessary, pin the formula to a specific commit hash, review the formula's code thoroughly, and consider hosting it privately or mirroring it after verification. | LLM | install.sh:10 | |
| HIGH | Potential Prompt Injection via user-controlled text The `run_tts.sh` script embeds the user-provided `text` directly into a JSON payload sent to a local `mlx-audio-server`. If this server processes the `input` field by passing it to an underlying Large Language Model (LLM) for text-to-speech generation, an attacker could craft malicious `text` to perform prompt injection, manipulating the LLM's behavior or potentially extracting sensitive information if the LLM has access to it. Implement robust input validation and sanitization for all user-provided text that will be processed by an LLM. Consider using techniques like input filtering, output parsing, and privilege separation for LLM interactions. | LLM | run_tts.sh:27 | |
| HIGH | Arbitrary file write via user-controlled output path and format The `run_tts.sh` script constructs the output file path `"${outdir}/speech.${fmt}"` using user-controlled `outdir` and `fmt` variables. This path is then used with `curl --output`. An attacker can provide `outdir` values containing path traversal sequences (e.g., `../../`) or `fmt` values that manipulate the filename, allowing them to write the generated audio file to an arbitrary location on the filesystem. This could lead to overwriting critical system files, creating executable files in sensitive directories, or exfiltrating data by writing to publicly accessible web directories. Restrict output file paths to a designated, sandboxed directory. Validate `outdir` and `fmt` to prevent path traversal and ensure they only contain safe characters. Do not allow user input to directly control file paths or extensions without strict validation. | LLM | run_tts.sh:8 |
Scan History
Embed Code
[](https://skillshield.io/report/210d089ff8815b91)
Powered by SkillShield