ClawHub

Audio Transcriber

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward audio transcription helper, but users should be mindful that live audio and saved WAV files can contain sensitive speech.

Install only if you are comfortable giving the agent microphone/audio-processing capability. Use it with consent from speakers, avoid confidential or regulated conversations unless your environment is appropriate, and delete generated WAV/transcript files when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger description is broad enough that the skill may activate for general requests involving meetings, translation, or audio analysis without clear user intent to record or process audio. In a skill that can access microphones, create recordings, and transcribe speech, accidental invocation increases the risk of unintended privacy-invasive behavior and surprise data processing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill handles recording, transcription, translation, and emotion analysis, all of which may process sensitive personal or third-party speech data, but it provides no privacy notice, consent guidance, retention statement, or warning about sensitive content. This is especially dangerous because users may unknowingly capture bystanders, confidential meetings, or regulated data, and emotion inference adds another layer of sensitive processing.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation describes writing output WAV and cleaned WAV files but does not warn users that audio artifacts will be persisted to disk. Silent file creation can expose sensitive recordings to other local users, backups, indexing services, or later unintended disclosure, especially on shared systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal