Is edge-tts safe?

https://clawhub.ai/i3130002/edge-tts

74
CAUTION

The edge-tts skill provides legitimate text-to-speech functionality using Microsoft Edge's neural TTS service. The primary concerns are: (1) sensitive files (.env, .aws/credentials) were accessed during installation, though this appears attributable to the host platform rather than the skill itself; (2) all converted text is sent to Microsoft's external service, creating a data exfiltration vector for sensitive content; (3) the proxy configuration option could be weaponized to reroute user text through a malicious intermediary. No prompt injection, canary violations, or malicious intent were detected in the skill's own code.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 60/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (10)

HIGH Sensitive file access during installation -25

Filesystem monitoring captured reads of .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json during the install/clone phase. While this may be caused by the host platform's initialization rather than the skill itself, the .aws/credentials file access is concerning as it contains cloud provider secrets.

MEDIUM Text content sent to external Microsoft service -15

All text converted to speech is transmitted to Microsoft Edge's online TTS service. While this is the core functionality of the skill, users should be aware that any text processed — including potentially sensitive content — leaves the local environment.

MEDIUM Config file written to user home directory -5

config-manager.js writes ~/.tts-config.json in the user's home directory, outside the skill's own directory. This persists across sessions and could leak user preferences. The proxy field in config could be set to route traffic through a malicious proxy.

MEDIUM install.sh runs npm install with transitive dependencies -20

The install.sh script runs 'npm install --production' which fetches and installs packages from npm. While the direct dependencies are benign (node-edge-tts, commander), transitive dependencies could include lifecycle scripts that execute arbitrary code during installation.

MEDIUM Test script uses npx to download and execute binary -10

The package.json test script uses 'npx node-edge-tts' which may download and execute a binary from npm if not already installed locally.

LOW Broad trigger word may cause unintended activation -5

The skill activates on the keyword 'tts' which is a common abbreviation. This could cause the skill to activate on messages where TTS was not intended, leading to unexpected behavior or resource consumption.

LOW External URL reference for voice testing -10

SKILL.md references https://tts.travisvn.com/ for voice testing. While informational, an overly compliant agent might navigate to this URL, potentially exposing the agent to content on that domain.

LOW Proxy option enables traffic rerouting -15

Both tts-converter.js and config-manager.js support a --proxy option. If a malicious actor sets the proxy config, all TTS requests (containing user text) would be routed through an attacker-controlled server.

INFO Host platform files accessed during initialization -10

Multiple reads of .profile, .bashrc, and .openclaw/ configuration files were detected. These appear to be host platform initialization behavior (openclaw/jiti runtime) rather than skill-initiated reads, but they increase the attack surface.

INFO Temp directory creation during install -5

Directories /tmp/openclaw-1000/ and /tmp/jiti/ were created during the install phase with lock files and compiled modules. This is consistent with the host platform's JIT compilation and process locking, not skill behavior.