Voice Transcribe

Security checks across malware telemetry and agentic risk

Overview

This transcription skill appears purpose-built, but it needs review because it relies on an unbundled hard-coded local script and can upload voice audio to OpenAI using a local API key.

Install only if you trust the local transcribe script at the referenced path or can review it separately. Use a dedicated OpenAI API key, avoid sensitive or third-party voice recordings unless you have consent, and check where transcripts or cache files are stored and how to clear them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to run transcription whenever it receives voice memos, without requiring confirmation, scope checks, or sensitivity screening. In this context, that can cause private audio to be sent to an external API by default, creating an unnecessary data-exposure risk and increasing the chance of unintended tool execution.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill description omits that audio content is transmitted to OpenAI for transcription, so users may unknowingly expose sensitive voice data, personal information, or confidential business content to an external service. Because the skill is specifically designed to process voice memos, this missing disclosure materially increases privacy and consent risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal