ClawHub

Zhipu Asr

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it transcribes user-selected audio through Zhipu AI, with the main risk being that audio and optional context are sent to an external provider.

Install only if you are comfortable sending selected audio files, optional context prompts, and hotwords to Zhipu AI for transcription. Protect the ZHIPU_API_KEY, review provider data-retention terms for sensitive recordings, and avoid submitting confidential meetings, calls, or personal voice data without consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares required binaries and an API key but does not declare explicit permissions despite invoking shell-based functionality. In an agent ecosystem, undeclared execution capability weakens trust and review boundaries because users may not realize the skill can run local commands such as ffmpeg, curl, and jq.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes local transcription usage but does not disclose that audio content is sent to Zhipu AI's external ASR service. Users may unknowingly upload sensitive recordings such as meetings, calls, or lectures containing personal or confidential information, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation does not clearly warn that audio files, plus optional prompt context and hotwords, are transmitted to Zhipu AI's external service. This can cause users to unknowingly send sensitive voice content, personal data, meeting recordings, or proprietary terms to a third party, creating privacy, compliance, and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal