AIML Voice Transcript

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: transcribe user-selected audio through AIMLAPI and save the transcript locally.

Install only if you are comfortable sending the audio files you choose to AIMLAPI. Use a dedicated AIMLAPI key where possible, avoid transcribing highly sensitive recordings unless the service terms fit your needs, and review output paths before saving transcripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill exposes meaningful capabilities—reading local files, writing output, using environment secrets, and making network requests—without declaring explicit permissions. That creates a transparency and policy-enforcement gap: a caller may invoke the skill without realizing it can access an API key, transmit local audio to a third-party service, and write transcripts to disk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script uploads the full local audio file to a third-party transcription service during normal operation without an explicit runtime warning or confirmation. In agent contexts, this can cause unintentional exfiltration of sensitive voice content, background conversations, or embedded personal data if users or operators do not realize that local files are sent off-device.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal