Pronunciation Coach

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it analyzes selected local voice recordings by sending them to Azure Speech Services, with that data flow disclosed.

Install only if you are comfortable sending selected voice recordings and reference text to Microsoft Azure for processing. Use a restricted Azure Speech key, keep it in environment variables, ensure ffmpeg and Node.js are installed, and verify the audio file before running the assessment.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill invokes shell commands and local scripts to enumerate files and process user-provided audio, but it does not declare any permissions for shell/code execution. That mismatch weakens reviewability and sandboxing expectations, and can lead to over-privileged execution of file access, ffmpeg, Node.js, and outbound Azure API calls without explicit operator awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal