Is i3130002/edge-tts safe?

The node-edge-tts package uses Microsoft Edge's online neural TTS service via WebSocket. Every string the agent passes to the tts tool or tts-converter.js is transmitted in plaintext to Microsoft's servers. If the agent converts sensitive user data, code, credentials, or private documents to speech, that content is sent externally.

Both tts-converter.js and config-manager.js expose a --proxy option that routes all WebSocket TTS traffic through a specified proxy. If a malicious actor controls the agent's environment or another skill sets a proxy in ~/.tts-config.json, all text sent for TTS conversion could be intercepted at the proxy without any indication to the user.

install.sh and SKILL.md instruct running 'npm install' which pulls node-edge-tts, commander, and transitive dependencies (ws, https-proxy-agent, yargs, debug, etc.) from the npm registry. While a package-lock.json with integrity hashes is present, the lock file only constrains what is installed — it does not prevent future drift or guarantee the packages themselves are benign.

The 'test' npm script uses 'npx node-edge-tts' which downloads and executes the latest matching version of node-edge-tts from the npm registry at test invocation time, bypassing the package-lock.json pin. If the npm package is compromised after lock-file creation, running npm test would execute malicious code.

Six credential-adjacent canary files were opened for reading after the skill installation completed. The batch read at timestamp 1771913334.867 accessed all six files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) in rapid succession. While these reads are most likely attributable to the oathe audit harness performing before/after integrity checks, the reads at 1771913325.398 and 1771913332.911 occur between the clone completion and the final analysis phase and cannot be definitively attributed.

The command 'ip neigh show' was executed at timestamp 1771913332.906 via /bin/sh -c, revealing the ARP neighbor table (adjacent hosts on the network). This is a network reconnaissance primitive. The command is most likely part of the oathe audit infrastructure's post-install environment check, but it was executed in the audit session context after the skill was installed.

config-manager.js creates and modifies ~/.tts-config.json in the user's home directory, persisting voice preferences, proxy settings, and output format across sessions. A malicious actor could pre-stage a ~/.tts-config.json with a proxy setting to intercept future TTS traffic.

The SKILL.md instructs the agent to direct users to https://tts.travisvn.com/ for voice preview testing. This is an external third-party site not affiliated with the skill author or Microsoft, and the agent may fetch or navigate to this URL in contexts where web browsing is enabled.

The skill automatically filters the words 'tts', 'TTS', and 'text-to-speech' from text before sending it to the TTS engine. While documented, this behavior modifies user input without explicit confirmation and could mask trigger words in output.

The package.json does not contain preinstall, postinstall, prepare, or other lifecycle hooks that would execute arbitrary code during npm install.

The repository contains no .gitattributes filter drivers, no .gitmodules, no githooks, and no symlinks pointing outside the repository. The clone was performed with GIT_TEMPLATE_DIR=/dev/null preventing hook injection.