Back to skill

Security audit

Local STT (Nvidia Parakeet + Whisper Support)

Security checks across malware telemetry and agentic risk

Overview

This skill performs local speech-to-text and has a documented, user-triggered option to post the transcript to Matrix.

Install this if you want a local transcription CLI and are comfortable with uv-managed Python/model dependencies. Treat --room-id as consent to send the recognized speech text to Matrix using MATRIX_HOMESERVER and MATRIX_ACCESS_TOKEN; avoid using that option for sensitive audio unless the Matrix room and token are appropriate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Tainted flow: 'url' from os.environ.get (line 90, credential/environment) → requests.put (network output)

Critical
Category
Data Flow
Content
log.write(f"Attempting send to {room_id} at {txn_id}\n")
            log.write(f"URL: {url}\n")

        resp = requests.put(url, headers=headers, json=payload, timeout=10)

        with open("/tmp/stt_matrix.log", "a") as log:
            log.write(f"Response: {resp.status_code}\n")
Confidence
95% confidence
Finding
resp = requests.put(url, headers=headers, json=payload, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation exposes capabilities beyond a simple local STT tool, including shell execution, network use, environment access, and file writing, yet no permissions are declared. This undermines user trust and permission boundaries because operators may run a supposedly local/offline skill without realizing it can access credentials, write logs, or communicate externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a local speech-to-text utility, but its documented behavior includes loading credentials from local .env files, writing logs to /tmp, and sending transcriptions to Matrix rooms over the network when --room-id is used. This mismatch is dangerous because users may provide sensitive audio expecting fully local processing, while the skill can exfiltrate derived content and interact with external services using local secrets.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is described as local speech-to-text, but the implementation can send recognized speech to a Matrix room over the network. That mismatch is security-relevant because users and orchestrators may grant it trust appropriate for an offline/local tool while it actually has data egress behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Reading ~/.openclaw/.env and ~/.env to source Matrix credentials gives this skill access to unrelated secrets beyond what a local STT utility needs. In context, that broadens the privilege boundary and makes accidental or malicious exfiltration of user credentials and transcripts more likely.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This block performs outbound HTTP requests to Matrix despite the skill being framed as local STT. The context makes this more dangerous because speech transcripts often contain sensitive personal or organizational information, and users may not expect any network transmission from a 'local' capability.

External Transmission

Medium
Category
Data Exfiltration
Content
log.write(f"Attempting send to {room_id} at {txn_id}\n")
            log.write(f"URL: {url}\n")

        resp = requests.put(url, headers=headers, json=payload, timeout=10)

        with open("/tmp/stt_matrix.log", "a") as log:
            log.write(f"Response: {resp.status_code}\n")
Confidence
94% confidence
Finding
requests.put(url, headers=headers, json=

Env Variable Harvesting

High
Category
Data Exfiltration
Content
"""Send transcription to Matrix room via REST API."""
    load_env_file()
    homeserver = os.environ.get("MATRIX_HOMESERVER")
    access_token = os.environ.get("MATRIX_ACCESS_TOKEN")

    if not homeserver or not access_token:
        if not quiet:
Confidence
90% confidence
Finding
os.environ.get("MATRIX_ACCESS_TOKEN

Credential Access

High
Category
Privilege Escalation
Content
def load_env_file():
    """Load .env file from home directory if it exists."""
    env_paths = [Path.home() / ".openclaw" / ".env", Path.home() / ".env"]
    for env_path in env_paths:
        if env_path.exists():
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def load_env_file():
    """Load .env file from home directory if it exists."""
    env_paths = [Path.home() / ".openclaw" / ".env", Path.home() / ".env"]
    for env_path in env_paths:
        if env_path.exists():
            with open(env_path) as f:
Confidence
90% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def load_env_file():
    """Load .env file from home directory if it exists."""
    env_paths = [Path.home() / ".openclaw" / ".env", Path.home() / ".env"]
    for env_path in env_paths:
        if env_path.exists():
            with open(env_path) as f:
Confidence
90% confidence
Finding
.env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.