中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 31/100
Last scan:1 day ago Rescan
31 /100
chattts
High-quality, conversational Text-to-Speech (TTS) generation via local ChatTTS API
Hardcoded non-localhost IP address (172.23.252.114:8020) in both SKILL.md and script creates an undeclared network destination with no clear legitimate reason to avoid environment-based configuration.
Skill Namechattts
Duration49.4s
Enginepi
Use with caution
Remove the hardcoded IP fallback. Only use the CHATTTS_API_URL environment variable, defaulting to localhost (127.0.0.1) if needed. Document why external network access is required.

Findings 2 items

Severity Finding Location
Medium
Hardcoded fallback IP address Sensitive Access
The script uses a hardcoded IP address (172.23.252.114:8020) as a fallback when CHATTTS_API_URL is not set. This creates a network dependency to an unspecified external endpoint without clear documentation of its trustworthiness.
const apiUrl = process.env.CHATTTS_API_URL || 'http://172.23.252.114:8020';
→ Remove the hardcoded IP fallback. Require CHATTTS_API_URL to be explicitly set, or default to localhost (127.0.0.1:8020) for local-only operation.
 scripts/tts.mjs:48
Medium
Non-localhost network destination declared as requirement Doc Mismatch
The SKILL.md metadata explicitly declares http://172.23.252.114:8020 as the primaryEnv requirement. For a typical TTS skill, a local server (localhost) would be expected. Using a private IP suggests external infrastructure without justification.
"primaryEnv":"http://172.23.252.114:8020"
→ If external TTS servers are legitimate use cases, document why. Otherwise, default to localhost for user privacy and security.
 SKILL.md:4
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned SKILL.md:4 metadata declares env=['http://172.23.252.114:8020']
Shell WRITE WRITE ✓ Aligned SKILL.md usage shows 'node {baseDir}/scripts/tts.mjs'
Filesystem NONE NONE No file operations in scripts/tts.mjs
Environment READ READ ✓ Aligned scripts/tts.mjs:48 reads process.env.CHATTTS_API_URL
1 High 2 findings
📡
High IP Address 硬编码 IP 地址
172.23.252.114
SKILL.md:4
🔗
Medium External URL 外部 URL
http://172.23.252.114:8020
SKILL.md:4

File Tree

2 files · 3.5 KB · 87 lines
JavaScript 1f · 60L Markdown 1f · 27L
├─ 📁 scripts
│ └─ 📜 tts.mjs JavaScript 60L · 1.9 KB
└─ 📝 SKILL.md Markdown 27L · 1.6 KB

Security Positives

✓ Skill functionality is straightforward: text-to-speech via HTTP API
✓ No credential harvesting or sensitive file access
✓ No obfuscation techniques (base64, eval) detected
✓ Uses standard Node.js fetch API for HTTP requests
✓ Environment variable CHATTTS_API_URL is supported as primary configuration method