Back to skill

Security audit

Podcast Transcribe

Security checks across malware telemetry and agentic risk

Overview

This is a coherent podcast transcription skill, but users should understand its external CLI, cloud transcription, and API-key handling before use.

Install only if you are comfortable running the external podcast-helper package and with selected audio being processed by whichever engine is configured. For sensitive recordings, explicitly choose the local mlx-whisper engine, avoid optional Jina cleanup context for private URLs, and do not print or share full API keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The documentation explicitly promotes third-party transcription providers and automatic provider selection based on available API keys, but it does not warn that audio content and possibly associated metadata will be sent off-device to external services. In a transcription skill, users may reasonably assume local processing unless clearly told otherwise, so this omission can lead to unintentional disclosure of sensitive recordings.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The environment-check section references credential-bearing environment variables without any caution about secret handling, which can normalize unsafe practices around API key exposure. Although it does not itself exfiltrate secrets, documentation that omits warnings can increase the chance that users reveal or mishandle credentials in logs, terminals, or shared screenshots.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.