Dlazy Elevenlabs Stt

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for dLazy's ElevenLabs speech-to-text CLI, with a reproducibility caveat around installing the latest CLI version.

Install this only if you trust the dLazy CLI and service with your audio files and API key. For better reproducibility, review the current @dlazy/cli release or pin a specific version instead of relying on @latest.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The documentation claims the CLI install is pinned to version 1.0.9, but the manifest actually uses @latest. This creates a supply-chain integrity risk because agents or users may believe they are installing a reviewed fixed version when they are in fact pulling whatever version is current at execution time, which can introduce unreviewed behavior or malicious updates.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal