U2-audio-file-transcriber

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real UniSound audio transcription helper, but it sends potentially sensitive audio to a default UniSound UAT endpoint over plain HTTP.

Review before installing. Use this only if you specifically want UniSound cloud transcription, avoid sensitive or production audio with the default UAT HTTP endpoint, and configure your own trusted HTTPS UniSound endpoint and scoped credentials before processing private, customer-service, or financial recordings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This script uploads user-provided audio to a remote ASR endpoint, but it does so without an explicit warning or consent prompt at the point of use. Because audio may contain sensitive personal, financial, or customer-service data, silent network transmission can expose users to privacy and compliance risks, especially given the finance-oriented defaults.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal