Trust Assessment
tts-whatsapp received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 3 high, 1 medium, and 0 low severity. Key findings include Sensitive path access: AI agent config, Unpinned `piper-tts` dependency, Unverified external voice model downloads.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/hopyky/tts-whatsapp/SKILL.md:21 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/hopyky/tts-whatsapp/SKILL.md:63 | |
| HIGH | Unverified external voice model downloads The skill instructs users to download voice models from Hugging Face without specifying exact file names, versions, or providing cryptographic hashes for verification. This introduces a significant supply chain risk, as a malicious actor could upload a compromised model to the specified repository, which users might then download and use, potentially leading to data manipulation, system compromise, or other security issues if the skill processes these models in an unsafe manner. Provide specific download links for each required model, including their cryptographic hashes (e.g., SHA256). Instruct users to verify these hashes after download. Alternatively, bundle verified models with the skill or use a trusted, version-controlled model repository. | LLM | SKILL.md:19 | |
| MEDIUM | Unpinned `piper-tts` dependency The skill instructs users to install `piper-tts` using `pip3 install --user piper-tts` without specifying a version. This can lead to supply chain vulnerabilities if a malicious or incompatible version of `piper-tts` is published, potentially introducing security flaws or breaking functionality. Pin the `piper-tts` dependency to a specific, known-good version (e.g., `piper-tts==X.Y.Z`) to ensure consistency and mitigate risks from future malicious updates. | LLM | SKILL.md:17 |
Scan History
Embed Code
[](https://skillshield.io/report/7b8ef27220c003b1)
Powered by SkillShield