Is jamiepine/voicebox safe?
https://github.com/jamiepine/voicebox
The jamiepine/voicebox repository is a legitimate open-source text-to-speech desktop application. Its four developer skills (draft-release-notes, triage-prs, add-tts-engine, release-bump) are well-structured maintainer workflow tools containing no prompt injection, hidden instructions, persona overrides, or data exfiltration attempts. Minor risks exist from the add-tts-engine skill cloning external repos (potential git hook execution) and the triage-prs skill automating PR merges without mandatory human review gates, but these reflect operational trust assumptions for a project maintainer rather than adversarial design.
Category Scores
Findings (6)
LOW docs/package.json postinstall hook (fumadocs-mdx) -8 ▶
The docs subdirectory ships a package.json with a postinstall lifecycle hook that executes fumadocs-mdx automatically on npm/bun install. fumadocs-mdx is a legitimate documentation code-generation tool from the fumadocs framework, not malicious, but automatic install hooks warrant explicit disclosure.
LOW add-tts-engine skill clones arbitrary external repos -5 ▶
The add-tts-engine SKILL.md instructs the agent to git clone a user-supplied model library URL into /tmp/engine-research as Phase 0 of the workflow. Cloning untrusted repos could trigger git post-checkout or post-clone hooks in those external repos, executing attacker-controlled code in the agent's environment.
LOW triage-prs processes untrusted contributor PR content -7 ▶
The triage-prs skill reads PR titles, bodies, branch names, commit messages, and diff output from external contributors via gh CLI. An attacker who submits a PR could craft the PR body or commit message to contain prompt injection payloads that the agent reads during triage. The structured JSON output from gh CLI reduces but does not eliminate this risk, as commit messages and PR bodies are plain text passed through.
INFO triage-prs enables autonomous PR merging bypassing human review -10 ▶
The triage-prs skill automates batch squash-merging of contributor PRs and force-pushing rebased branches to external contributor forks. When executed without close human supervision, this workflow can land code into main without the standard review process, presenting a risk of inadvertently merging malicious contributions from the PR queue.
INFO release-bump skill creates version tags and modifies 10+ files autonomously -8 ▶
The release-bump skill runs bumpversion --allow-dirty to update version strings across all tracked files and create a git tag. If invoked prematurely or on the wrong branch, it produces hard-to-retract tagged commits spanning the entire monorepo.
INFO Canary files read pre-clone — attributed to audit infrastructure -5 ▶
Six sensitive honeypot files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were opened and read at 15:45:22 UTC, five seconds before the git clone began. CLOSE_NOWRITE events confirm read-only access. Ordering immediately after the ss -tunap network baseline command and the confirmed canary integrity verdict (all files intact, no modification) indicate these reads are from the oathe audit framework establishing pre-clone baseline hashes, not from the cloned repository.