Scan Report
5 /100
speech-synthesizer
文字转语音(Text-to-Speech)工具,支持 edge-tts 和 OpenAI 兼容 API TTS
This is a legitimate text-to-speech skill using edge-tts and OpenAI-compatible APIs. No malicious behavior detected.
Safe to install
Skill is safe to use. Consider documenting the network access requirement more explicitly in SKILL.md.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Incomplete allowed-tools declaration | SKILL.md:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | WRITE | ✓ Aligned | scripts/tts_simple.py:115 - writes to projects/tts/output/ |
| Network | NONE | READ | ✗ Violation | scripts/tts_simple.py:52 - calls edge-tts service |
| Environment | READ | READ | ✓ Aligned | scripts/tts_simple.py:101-102 - reads TTS_API_URL and TTS_API_KEY |
1 findings
Medium External URL 外部 URL
https://www.bing.com SKILL.md:230 File Tree
4 files · 19.0 KB · 620 lines Python 2f · 331L
Markdown 1f · 276L
Text 1f · 13L
├─
▾
scripts
│ ├─
tts_edge.py
Python
│ └─
tts_simple.py
Python
├─
requirements.txt
Text
└─
SKILL.md
Markdown
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
edge-tts | >=7.0.0 | pip | No | Standard Microsoft Neural TTS library |
openai | >=1.0.0 | pip | No | Official OpenAI Python client |
aiohttp | >=3.8.0 | pip | No | HTTP client library, transitive dep |
Security Positives
✓ No shell execution (subprocess, os.system, etc.)
✓ No credential harvesting or exfiltration - API key used only for legitimate TTS API calls
✓ No base64/eval obfuscation patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No remote script execution (curl|bash, wget|sh)
✓ Clean, straightforward TTS implementation
✓ Dependencies are standard legitimate libraries (edge-tts, openai)