安全决策报告
lessac_offline_voice_system
The skill claims 'fully offline' with 'no data leaves your machine,' but actually uses edge-tts which transmits audio/text to Microsoft cloud servers - a significant doc-to-code mismatch indicating potential data exfiltration.
最直接的威胁证据
高危 文档欺骗
False claim of offline operation SKILL.md explicitly states 'Fully offline: No internet connection required' and 'Privacy-focused: All processing happens locally' and 'No data leaves your machine'. However, the implementation uses 'edge-tts' which is Microsoft's cloud TTS service that sends audio text to Microsoft servers.
SKILL.md:7 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 5 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
复核
依赖与供应链卫生
发现 3 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Doc-to-code mismatch (network behavior) +25
SKILL.md claims 'fully offline' and 'no data leaves your machine' but uses edge-tts which sends data to Microsoft cloud
Undeclared network access +15
edge-tts package makes HTTPS requests to Microsoft servers for TTS generation
Unpinned Python dependencies +10
pip install without version pinning for faster-whisper, edge-tts, soundfile
Shell injection risk +5
subprocess.run with shell=True in voice_handler.py
最关键的证据
高危 文档欺骗
False claim of offline operation
SKILL.md explicitly states 'Fully offline: No internet connection required' and 'Privacy-focused: All processing happens locally' and 'No data leaves your machine'. However, the implementation uses 'edge-tts' which is Microsoft's cloud TTS service that sends audio text to Microsoft servers.
SKILL.md:7 Either remove the edge-tts dependency and use local Piper TTS only, or update documentation to clearly disclose cloud dependency and data transmission.
高危 数据外泄
Audio data transmitted to Microsoft cloud
The edge-tts package (installed in install.sh:85) makes HTTPS requests to Microsoft servers to generate TTS audio. This means user-provided text and any processed audio is sent to external servers, contradicting the skill's privacy claims.
scripts/install.sh:85 Remove edge-tts dependency if true offline operation is required. Use only self-hosted Piper TTS.
中危 供应链
Unpinned Python package versions
Python packages are installed without version constraints: 'pip install faster-whisper edge-tts soundfile'. This allows dependency substitution attacks.
scripts/install.sh:85 Pin versions: pip install faster-whisper==X.Y.Z edge-tts==X.Y.Z soundfile==X.Y.Z
低危 代码执行
subprocess with shell=True
The voice_handler.py uses subprocess.run with shell=True for ffmpeg execution. While ffmpeg commands are typically static, shell=True introduces potential command injection risk if audio filenames are user-controlled.
scripts/voice_handler.py:39 Use subprocess.run with shell=False and pass arguments as a list for safer execution.
声明能力 vs 实际能力
文件系统 通过
声明 READ
→ 推断 WRITE
install.sh:100 - Creates config files, copies scripts to $INSTALL_DIR 网络访问 阻止
声明 NONE
→ 推断 WRITE
SKILL.md claims offline, but edge-tts sends data to Microsoft servers 命令执行 通过
声明 NONE
→ 推断 WRITE
voice_handler.py:39 - Uses subprocess for ffmpeg (documented CLI tool) 可疑产物与外联
中危 外部 URL
https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_US/lessac/high/en_US-lessac-high.onnx README.md:75
中危 外部 URL
https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_US/lessac/high/en_US-lessac-high.onnx.json README.md:76
中危 外部 URL
https://huggingface.co/rhasspy/piper-voices SKILL.md:165
中危 外部 URL
https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_US/ryan/high/en_US-ryan-high.onnx references/voice_models.md:57
中危 外部 URL
https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_US/ryan/high/en_US-ryan-high.onnx.json references/voice_models.md:58
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| faster-whisper | * | pip | 否 | Version not pinned |
| edge-tts | * | pip | 否 | Version not pinned - Microsoft cloud service |
| soundfile | * | pip | 否 | Version not pinned |
文件构成
8 个文件 · 1419 行
Markdown 3 个文件 · 592 行Python 3 个文件 · 422 行Shell 2 个文件 · 405 行
需关注文件 · 5
scripts/install.sh Audio data transmitted to Microsoft cloud · Unpinned Python package versions
SKILL.md False claim of offline operation · https://huggingface.co/rhasspy/piper-voices
README.md https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_US/lessac/high/en_US-lessac-high.onnx · https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_US/lessac/high/en_US-lessac-high.onnx.json
references/voice_models.md https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_US/ryan/high/en_US-ryan-high.onnx · https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_US/ryan/high/en_US-ryan-high.onnx.json
scripts/voice_handler.py subprocess with shell=True
其他文件 · test_skill.py · voice_integration.sh · piper_tts.py
安全亮点
No evidence of credential harvesting from environment variables
No base64-encoded payloads or obfuscated code
No reverse shell or direct C2 communication detected
No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
Python code is readable and auditable
Dependencies come from standard, well-known packages (faster-whisper, piper-tts)