Alpha Preview: Fidensa is currently in early testing. Scores are for demonstration purposes and are not considered final or reliable.

Fidensa
Hook Verified

disler-hooks-tts

Provides AI-generated text-to-speech audio feedback, prompt validation, security controls, and session logging for Claude Code interactions.

77

/ 100 · Grade C

C = 70–79

I need to enhance my Claude Code sessions with audio feedback, validate and improve my prompts, add security controls before tool usage, and maintain structured logs of my interactions.

audiosecurityvalidationloggingAI-assistance
Publisher: dislerVersion: latestCertified: Apr 1, 2026Expires: Apr 1, 2027Source ↗

disler-hooks-tts earned Verified status with a trust score of 77/100 (Grade C). Adversarial testing produced 8 findings (7 high, 1 medium). Security scan flagged 0 findings. Tier is Verified rather than Certified due to unmitigated findings above severity thresholds.

Trust Score Breakdown

Eight weighted signals composing the aggregate trust score

security scan
100% × 15w
15.0
supply chain
100% × 10w
10.0
adversarial
23% × 25w
5.7
provenance
80% × 20w
16.0
consumer confirm
100% × 10w
10.0
behavioral pass
100% × 10w
10.0
contract accuracy
100% × 6w
6.0
uptime
100% × 4w
4.0

Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.

Findings

Security scan results, adversarial testing, and pipeline review

Security Scan — Cisco Skill Scanner

cisco-skill-scannerFAIL
staticbehavioralllmmeta
critical: 0high: 0medium: 0low: 0

Adversarial Testing — 6 categories, 8 findings

prompt injection chainsprivilege escalationdata exfiltration side channelscapability squattingcontext poisoningdependency confusion
highReviewprompt injection chainssuspected

The notification.py hook processes user-provided messages and incorporates them into TTS announcements. While the current implementation only uses predefined messages, the structure accepts arbitrary message content from input_data.get('message') and could be extended to process user content. The hook lacks explicit data boundary markers around user content references, creating potential for instruction injection if the message processing is expanded.

highWarnprompt injection chainsconfirmed

The notification hook constructs shell commands using environment variables (ENGINEER_NAME) and executes subprocess calls with uv run. While ENGINEER_NAME is used in string formatting for TTS messages, the broader pattern of executing shell commands with environment-derived content creates a parameter injection surface. An attacker who can control environment variables could potentially inject additional parameters or alter command execution.

highWarnprivilege escalationconfirmed

The skill grants extensive bash permissions including 'Bash(chmod:*)' which allows arbitrary file permission modifications. Multiple hook scripts are executed automatically at various lifecycle events (PreToolUse, PostToolUse, SessionStart, etc.) with these elevated permissions. This creates a concrete attack surface where malicious hook scripts could modify file permissions system-wide.

highReviewprivilege escalationsuspected

The notification hook script accesses environment variables (ELEVENLABS_API_KEY, OPENAI_API_KEY, ENGINEER_NAME) and executes external TTS scripts. While the current implementation appears to only read these variables, the broad bash permissions combined with automatic hook execution could enable system-level modifications if the hook scripts were compromised or modified.

mediumReviewdata exfiltration side channelsconfirmed

The skill implements extensive logging across multiple hooks that capture and store tool inputs, outputs, and intermediate data. The pre_tool_use.py, post_tool_use.py, permission_request.py, and other hooks log complete tool inputs and outputs to JSON files. This logging could expose sensitive data like file contents, command outputs, API responses, or user inputs that pass through the system.

highWarncapability squattingconfirmed

The skill contains multiple conditional statements that reference system environment variables and state that users wouldn't anticipate. The notification.py script uses conditional logic based on ENGINEER_NAME environment variable and random probability (30% chance) to modify behavior. The get_tts_script_path() function conditionally selects TTS providers based on API key environment variables (ELEVENLABS_API_KEY, OPENAI_API_KEY) without documenting this behavior in the skill's declared scope.

highWarncontext poisoningconfirmed

The notification hook implements persistent TTS behavior that announces 'Your agent needs your input' across all sessions without explicit termination conditions or scope boundaries. The behavior persists beyond individual tasks and affects all future agent interactions.

highWarndependency confusionconfirmed

The skill extensively uses 'uv run' commands to execute Python scripts with dependencies specified inline via script metadata, but these dependencies are not declared in the skill's dependency list. Multiple scripts use packages like 'python-dotenv' that are installed at runtime without being in the declared dependencies.

Methodology v1.0 · 6 categories · ~55 attack patterns

Interface

Skill triggers and instruction summary

Activation

Binds to lifecycle events: PreToolUse, PostToolUse, Notification, Stop, SubagentStop, UserPromptSubmit, PreCompact, SessionStart, SessionEnd, PermissionRequest, PostToolUseFailure, SubagentStart, Setup

Hook configuration with 13 handler(s)

Instructions: 13Files: 23Format: hook_json

Scope & Permissions

What this capability can and cannot access — derived from pipeline analysis

creates files

no

deletes files

no

modifies files

no

accesses env variables

yes

invokes external tools

yes

makes network requests

no

Badge & Integration

Embed certification status in your README, docs, or CI pipeline

Fidensa Verified badge for disler-hooks-tts
badge SVG →attestation API →integration guide →

Certification Notes

Provenance observations from the pipeline

publisher

Publisher "disler" is not verified — first certification from this publisher

provenance

No license file found in repository

provenance

No SECURITY.md or SECURITY.txt file found — no published vulnerability reporting process

provenance

Single contributor — no peer review evidence in commit history

provenance

Package description appears to be boilerplate or template text

Signed Artifact

Certification provenance and verification metadata

Content hash
sha256:bc74ec4ee55825e2a703cb0ad10ef7c84a527219ee8a3ea4b5a9346d7f0ff6c0
Key ID
kms-9db4ed3b9f53
Certified
Apr 1, 2026
Expires
Apr 1, 2027
Pipeline version
1.0
Status
valid
Annotated Filedownload →

The original instruction file with a certification footer appended. Replace the source file in your project so AI agents see the trust score, verification link, and SOP.

.cert.jsondownload →

ES256-signed JWS artifact for programmatic verification. Use with the Fidensa MCP server or GitHub Action to validate integrity.

Pipeline Artifacts

Raw data files from this certification run — downloadable for independent verification

contract.json

Full unsigned contract

stage1-ingest.json

Ingest stage output

stage2a-sbom.json

SBOM generation results

stage2a-vulns.json

Vulnerability scan results

stage2b-security.json

Security scan results

stage3a-functional.json

Functional test results

stage3b-adversarial.json

Adversarial test results

stage3c-fingerprint.json

Behavioral fingerprint

stage4-certify.json

Certification decision + trust score

stage3a-measurements.json

Raw functional test measurements

stage3b-measurements.json

Raw adversarial test measurements

run-log.json

Pipeline execution log

Not all files may be present for every certification.