Is martianzenmonk/espeak-ng safe?

https://github.com/openclaw/skills/tree/main/skills/martianzenmonk/espeak-ng

92
SAFE

The espeak-ng skill is a minimal, correctly-scoped TTS wrapper with no prompt injection, data exfiltration, or covert code execution mechanisms. The Python script uses safe subprocess practices (list invocation, input sanitization) and contains no file I/O or network calls. Canary file accesses logged during the audit are attributable to the oathe monitoring infrastructure rather than the skill, as confirmed by intact canary hashes and the absence of any relevant code in espeak_skill.py. The only substantive concerns are minor: a bare except clause that reduces error observability, and executable code that requires espeak-ng to be installed on the host.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 84/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Executable Python script invokes system binary via subprocess -10

espeak_skill.py calls subprocess.Popen with espeak-ng. This is expected behavior for a TTS skill but constitutes code execution on the host. The list-form invocation and regex sanitization of sys.argv[1] are appropriate mitigations. No shell=True, no path traversal, no dynamic code loading.

LOW Bare except clause suppresses all error details -6

The outer try/except in espeak_skill.py catches BaseException without logging the error type or traceback. If espeak-ng behaves unexpectedly or if the argument sanitization fails in an edge case, the failure mode is silently swallowed and reported only as 'Failed'.

LOW Canary files opened during monitoring window — attributed to audit infrastructure -12

Auditd PATH records at 1771925101.488 (events 266–271) and 1771925119.358 (events 1429–1434) show open+read syscalls against .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. The first cluster occurs 22ms after audit event #263 (the baseline ss -tunap), consistent with monitoring initialization. The second cluster coincides with monitoring teardown. espeak_skill.py contains no file-reading code. Canary integrity confirmed intact.

INFO External URL reference in SKILL.md -3

SKILL.md includes a URL pointing to the official espeak-ng GitHub releases page for Windows installer download. This is passive documentation — no instruction to fetch or execute the URL is present. No prompt injection risk.

INFO Aggressive input sanitization removes all punctuation from spoken text -12

re.sub(r'[^a-zA-Z0-9\s]','') strips all non-alphanumeric, non-space characters before TTS. This is a net security positive (prevents argument injection) but may be a usability limitation. Not a threat indicator.