Speechall command-line tool for fast speech-to-text transcription using multiple providers

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward guide for installing and using a speech-to-text CLI, with normal privacy considerations because chosen audio or video is sent to an external transcription service.

Before installing, confirm the Homebrew tap or GitHub release is the Speechall source you intend to trust. Keep the Speechall API key private, prefer the environment variable over putting the key directly in shell commands, and only transcribe recordings you are authorized and comfortable sending to an external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to upload local audio/video for transcription through the Speechall API and downstream third-party providers, but it does not clearly warn that file contents may leave the local machine and be processed by external services. This can cause users to unknowingly transmit sensitive conversations, meetings, medical audio, or other regulated data to external processors, creating privacy, compliance, and data handling risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal