Trust Assessment
voice-ai-tts received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Data exfiltration via arbitrary file read in voice cloning, Arbitrary file write via unsanitized output path.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Data exfiltration via arbitrary file read in voice cloning The `cloneVoice` method in `voice-ai-tts-sdk.js` directly uses the provided `file` parameter to create a read stream (`fs.createReadStream(file)`). If an attacker can control this `file` parameter (e.g., through prompt injection to the LLM interacting with this skill), they could specify paths to sensitive local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). The content of these files would then be read and transmitted to the external Voice.ai API as part of the voice cloning request, leading to severe data exfiltration. Implement strict validation and sanitization for the `file` path in the `cloneVoice` method. Restrict file access to a designated, isolated directory (e.g., a temporary upload folder) and prevent path traversal. Do not allow arbitrary file paths from user input. Consider requiring pre-uploaded files or using a secure file selection mechanism that does not expose the filesystem directly. | LLM | voice-ai-tts-sdk.js:430 | |
| HIGH | Arbitrary file write via unsanitized output path The `scripts/tts.js` CLI tool accepts an `--output` argument directly from `process.argv`, which is then passed to the SDK's `generateSpeechToFile` or `streamSpeechToFile` methods. These methods internally call `_downloadFile`, which uses `fs.createWriteStream(outputPath)` without validating or sanitizing the `outputPath`. An attacker controlling the `--output` argument could specify an arbitrary file path (e.g., `/etc/passwd`, `../../sensitive_data.txt`), potentially overwriting critical system files or writing to sensitive locations, leading to denial of service or data corruption. Implement robust path validation and sanitization for the `outputPath` argument. Ensure the path is canonicalized and restricted to an allowed output directory (e.g., a temporary directory or a user-specific folder). Prevent path traversal sequences (`../`). For example, use `path.resolve()` in conjunction with a base directory to ensure the final path is within the intended scope. | LLM | scripts/tts.js:70 |
Scan History
Embed Code
[](https://skillshield.io/report/fe69d0dddc139a05)
Powered by SkillShield