ClawHub

Audio Transcriber Pro

Security checks across malware telemetry and agentic risk

Overview

The skill performs legitimate audio transcription, but its optional LLM features can send sensitive transcripts to Claude or GitHub Copilot while the documentation also claims local-only privacy.

Install only if you are comfortable with dependency installation and with transcript text potentially being processed by Claude or GitHub Copilot under your existing accounts. For confidential, regulated, or client recordings, use transcript-only/local Whisper mode or review and modify the scripts so external LLM calls and runtime pip installs cannot run automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
    RICH_AVAILABLE = False
    print("⚠️  Installing rich for better UI...")
    subprocess.run([sys.executable, "-m", "pip", "install", "--user", "rich"], check=False)
    from rich.console import Console
    from rich.prompt import Prompt
    from rich.panel import Panel
Confidence
95% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "--user", "rich"], check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from tqdm import tqdm
except ImportError:
    print("⚠️  Installing tqdm for progress bars...")
    subprocess.run([sys.executable, "-m", "pip", "install", "--user", "tqdm"], check=False)
    from tqdm import tqdm

# Whisper engines
Confidence
95% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "--user", "tqdm"], check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Tentar via gh copilot
        console.print("[dim]   Invocando prompt-engineer...[/dim]")
        
        result = subprocess.run(
            ['gh', 'copilot', 'suggest', '-t', 'shell', raw_prompt],
            capture_output=True,
            text=True,
Confidence
91% confidence
Finding
result = subprocess.run( ['gh', 'copilot', 'suggest', '-t', 'shell', raw_prompt], capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
progress.add_task(description=f"🤖 Processando com {cli_tool}...", total=None)
            
            if cli_tool == 'claude':
                result = subprocess.run(
                    ['claude', '-'],
                    input=full_prompt,
                    capture_output=True,
Confidence
94% confidence
Finding
result = subprocess.run( ['claude', '-'], input=full_prompt, capture_output=True, text=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
timeout=timeout
                )
            elif cli_tool == 'gh-copilot':
                result = subprocess.run(
                    ['gh', 'copilot', 'suggest', '-t', 'shell', full_prompt],
                    capture_output=True,
                    text=True,
Confidence
94% confidence
Finding
result = subprocess.run( ['gh', 'copilot', 'suggest', '-t', 'shell', full_prompt], capture_output=True, text=True,

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README states the skill works fully offline and requires no internet after initial model download, but earlier sections document optional Claude/Copilot CLI integration and automatic prompt-engineer integration. This creates a misleading security and privacy guarantee that can cause users to process sensitive transcripts under a false assumption that no external service will be contacted.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documentation advertises zero-configuration operation without external APIs, yet the workflow supports remote URL ingestion and external LLM/CLI processing. This inconsistency can mislead users about where data goes and what network interactions occur, especially for sensitive audio transcripts.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file states that the skill does not depend on external APIs, but other sections explicitly describe Claude/GPT API or CLI-based processing. This is a true security-relevant disclosure failure because users may expose transcript contents to third-party services without understanding that the workflow relies on them.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill adds runtime package installation behavior unrelated to the core function of transcription. That broadens the skill's operational scope and creates avoidable supply-chain and execution risk if packages are fetched dynamically during use.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill delegates prompt generation and transcript analysis to external CLI agents, expanding behavior beyond straightforward transcription into agent-to-agent data sharing. This is risky because sensitive content is sent to tools outside the script's trust boundary and users may not understand that delegation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises intelligent LLM-based processing without warning that transcript contents may be transmitted to external Claude or Copilot services. Because audio transcripts often contain meetings, client calls, and other sensitive material, missing disclosure can lead to unintended data exposure and compliance issues.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The 'Privacy-First' claim is incomplete because it emphasizes 100% local Whisper processing while omitting that optional summary generation can involve networked LLM services. This partial disclosure is especially risky in a transcription skill, where users are likely to handle confidential or regulated audio content and may rely on the privacy claim when deciding to use it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes LLM-based transcript summarization but does not clearly warn that potentially sensitive transcript content may be transmitted to external CLI/LLM services. In the context of meetings, interviews, and lectures, this creates a meaningful confidentiality risk because recordings often contain internal or personal information.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Transcript content is analyzed and used for prompt generation via external LLM CLI calls without a clear privacy notice explaining that audio-derived text may be transmitted to third-party services. For meeting recordings or interviews, this can expose confidential or regulated information.

Ssd 3

Medium
Confidence
97% confidence
Finding
The workflow automatically discloses transcript excerpts to an external AI for content classification and prompt suggestion in normal-language processing steps. Because transcripts can contain personal, business, or legal data, this disclosure path is a meaningful confidentiality risk in the context of an audio-transcription skill.

Ssd 3

Medium
Confidence
98% confidence
Finding
The code concatenates the entire transcript into the prompt sent to downstream LLM tooling. This creates a direct, broad data-exposure path for all spoken content in the recording, which is especially dangerous for meetings, interviews, and other sensitive audio sources.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal