ClawHub

Deapi Audio

Security checks across malware telemetry and agentic risk

Overview

This is a coherent deAPI audio skill, but it sends chosen text and audio to deAPI and may store the API key locally.

Install only if you are comfortable sending selected text, recordings, voice samples, and generated result URLs to deAPI. Prefer DEAPI_API_KEY over config.json, protect or rotate any stored key, and only upload audio or clone voices when you have permission and the content is not sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to ask the user for a deAPI API key and write it into `config.json` without any warning about local secret storage, file permissions, retention, or who can later read that file. This creates a realistic risk of credential exposure to other tools, users, future sessions, backups, or accidental disclosure if the config file is read back or committed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs users to send text, uploaded reference audio, and transcription audio files to a third-party API but does not warn about privacy, consent, retention, or sensitivity risks. In a voice-cloning and transcription skill, this omission is security-relevant because users may submit biometric voice data or confidential audio without understanding it leaves the local environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script uploads user-provided audio to a remote deAPI endpoint for transcription, but it does not present an explicit warning or consent checkpoint about external transmission of potentially sensitive voice content. In a speech-to-text skill, this is privacy-relevant because audio may contain personal, confidential, or biometric information, and users may assume local processing unless told otherwise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends user-provided text to a remote deAPI text-to-speech service, but it gives no explicit warning or consent prompt that the content will leave the local system. This can expose sensitive or regulated text if a user assumes processing is local, especially because the skill is framed as a convenient TTS utility and the network transmission is abstracted away behind helper functions.

External Transmission

Medium
Category
Data Exfiltration
Content
# Audio API Reference

Base URL: `https://api.deapi.ai/api/v1/client/`
Auth: `Authorization: Bearer $DEAPI_API_KEY`

## txt2audio
Confidence
90% confidence
Finding
https://api.deapi.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal