ClawHub

Speechmatics

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Speechmatics transcription helper that sends a user-chosen audio file to Speechmatics and writes back the transcript.

Install only if you are comfortable sending selected audio files to Speechmatics or the configured base URL. Avoid using it for sensitive recordings unless Speechmatics’ data handling fits your needs, keep the API key out of shared files and logs, and set --out explicitly if you do not want an existing transcript file overwritten.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises shell-based execution and networked transcription behavior but does not declare permissions accordingly. This weakens policy enforcement and user awareness, making it easier for a skill to invoke external commands and transmit data without explicit consent controls.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill handles user audio but does not clearly warn that recordings are uploaded to Speechmatics, a third-party service, for processing. This creates a meaningful privacy and compliance risk because users may provide sensitive voice notes, meetings, or calls without understanding that the data leaves the local environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uploads the provided audio file to the Speechmatics remote API via curl, but there is no explicit notice, confirmation, or consent check before transmitting potentially sensitive voice data off-host. In a transcription skill this behavior is functionally expected, but it still creates a real privacy and data-handling risk because users may assume processing is local or may not realize confidential recordings are being sent to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal