Scan Report
5 /100
coze-voice-gen
Text-to-Speech (TTS) and Speech-to-Text (ASR) using coze-coding-dev-sdk
This is a legitimate TTS/ASR voice processing skill using coze-coding-dev-sdk with no malicious indicators found.
Safe to install
This skill is safe to use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md line 1: uses npx ts-node for execution |
| Filesystem | READ | READ | ✓ Aligned | asr.ts line 71: fs.readFileSync - only user-specified files |
| Network | READ | READ | ✓ Aligned | SDK communicates with coze.com API |
| Environment | NONE | NONE | — | No environment variable access detected |
| Skill Invoke | NONE | NONE | — | No inter-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
1 findings
Medium External URL 外部 URL
https://www.coze.com SKILL.md:4 File Tree
3 files · 10.9 KB · 400 lines TypeScript 2f · 262L
Markdown 1f · 138L
├─
▾
scripts
│ ├─
asr.ts
TypeScript
│ └─
tts.ts
TypeScript
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
coze-coding-dev-sdk | * | npm | No | External SDK - version not pinned, but standard npm package |
Security Positives
✓ No credential harvesting or sensitive data exfiltration
✓ No base64-encoded obfuscation or eval() calls
✓ No remote script execution (curl|bash pattern)
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ File system access limited to user-specified audio files for ASR
✓ Documentation accurately reflects code functionality
✓ Uses a legitimate third-party SDK (coze-coding-dev-sdk) for voice processing
✓ No hidden instructions or prompt injection detected