Back to skill

Security audit

Groq Whisper

Security checks across malware telemetry and agentic risk

Overview

This skill transparently sends a user-supplied audio file to Groq for cloud transcription and does not show hidden collection, persistence, or unrelated behavior.

Install only if you are comfortable sending audio recordings to Groq for transcription. Avoid using it on confidential, regulated, or third-party recordings unless that cloud processing is acceptable, and protect the Groq API key with restrictive file permissions or an environment variable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation guidance says to call the script whenever an audio or voice attachment is received and to pass the file path directly, which is overly broad and could cause automatic exfiltration of user-provided audio to an external service without contextual checks. In an agent setting, loose triggering increases the chance of unintended data sharing, especially for sensitive voice notes or attachments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes transcription convenience but does not prominently warn that audio content is transmitted to Groq's cloud API for processing. Users or calling agents may therefore treat it like a local utility and unintentionally send private or regulated audio off-device.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script uploads the provided audio file to Groq's external API for transcription, which means potentially sensitive voice content leaves the local environment. In a skill context, this can expose private or regulated data if users are not clearly warned that transcription is cloud-based and involves third-party processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.