ClawHub

Fun-ASR-File

Security checks across malware telemetry and agentic risk

Overview

This skill transcribes user-selected audio through Alibaba DashScope, with normal privacy and API-key cautions but no evidence of hidden or destructive behavior.

Install only if you are comfortable sending selected audio files to Alibaba Cloud DashScope and using a DashScope API key. Use a dedicated, rotatable key, avoid transcribing sensitive recordings unless authorized, and install dependencies from trusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill requires an API key via the DASHSCOPE_API_KEY environment variable, which indicates access to sensitive environment-based secrets, but it does not declare corresponding permissions. Undeclared capability use weakens transparency and trust boundaries, making it harder for reviewers and users to understand what sensitive resources the skill needs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description explains local audio transcription but does not clearly disclose that local audio files are sent to the external DashScope API for processing. This can mislead users into believing processing is local-only, creating privacy and data-handling risks if sensitive recordings are uploaded without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends a user-supplied local audio file to DashScope for transcription, but does not clearly disclose that the file leaves the local machine and is processed by a third-party service. This can expose sensitive speech content, personal data, or regulated information when users reasonably assume 'local file' means local processing only.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal