ClawHub

Voice Transcription

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward cloud audio transcription skill that sends a user-chosen audio file to SiliconFlow and does not show hidden or unrelated behavior.

Install only if you are comfortable sending selected audio files to SiliconFlow for transcription. Avoid confidential, regulated, or highly personal recordings unless SiliconFlow's privacy and retention terms meet your needs, and keep the SILICONFLOW_API_KEY private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions, yet its documented behavior and install/runtime requirements clearly imply access to environment variables, outbound network access to SiliconFlow, and file output. This mismatch can mislead users and policy systems about what the skill actually does, reducing informed consent and weakening enforcement around sensitive capabilities.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation guidance is broad enough that the skill may trigger on vague phrases like '听一下这个录音' without clear confirmation that the user wants external transcription. Over-broad invocation can cause accidental processing of audio, including sending sensitive recordings to a third-party API without deliberate user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes transcription functionality but does not clearly warn that user audio will be transmitted to SiliconFlow for processing. In this context, omission is significant because audio often contains highly sensitive personal, business, or biometric information, and users may reasonably assume local processing if no external-transfer notice is given.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script uploads the user-supplied audio file to a third-party service, but it does not present an explicit privacy or data-transfer warning at the point of use. Because audio may contain sensitive personal or confidential information, users may unknowingly transmit regulated or private data off-device.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal