Back to skill

Security audit

Fun ASR Nano Transcribe

Security checks across malware telemetry and agentic risk

Overview

This looks like a real local speech-to-text skill, but it starts a long-running local service and exposes under-scoped host-file and process-control behavior that users should review first.

Install only if you are comfortable running a local ASR server. Prefer one-off CLI transcription for sensitive audio, avoid exposing the service beyond localhost, do not use /transcribe/path except on files you explicitly choose, and stop the service when finished. Review the model source and dependency versions before using it in a sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
nohup python scripts/api_server.py > {log_file} 2>&1 &
echo $! > {pid_file}
"""
    subprocess.Popen(cmd, shell=True, executable='/bin/bash')
    
    print("⏳ 等待服务启动(约 30 秒)...")
    time.sleep(30)
Confidence
94% confidence
Finding
subprocess.Popen(cmd, shell=True, executable='/bin/bash')

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is described as a simple transcription tool, but the documented behavior includes starting a persistent local HTTP service, accepting uploaded files, transcribing arbitrary server-local paths, auto-starting the background service, and performing model management actions. This broader operational surface matters because users may authorize a transcription skill without realizing it can expose local processing endpoints and access server-side file paths.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation materially expands a local transcription skill into a network-accessible Flask service exposed on 0.0.0.0, which changes the trust boundary and attack surface. Even though this is only an example, users may deploy it directly without authentication, rate limiting, input validation, or deployment hardening, enabling unintended remote access to audio processing functionality.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented capability is inconsistent with the stated purpose of a local ASR transcription tool, making it easier for the skill to be repurposed as a remotely reachable processing service. This mismatch increases operational risk because consumers may enable a network service they did not intend to expose, without considering the security controls required for internet- or LAN-facing endpoints.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The from_pretrained method calls AutoModel.build_model with trust_remote_code=True, which allows execution of model-repository-provided Python code during model loading. If the model source or dependency chain is compromised, an attacker can achieve arbitrary code execution in the environment running this skill, which is far beyond the stated transcription scope.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
This client contains logic to auto-start a local server, manage a background process, and persist log/PID artifacts, which exceeds a narrow 'transcribe audio' function. While not inherently malicious, expanding scope increases attack surface and can surprise users by changing host state in ways unrelated to the requested transcription action.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Introducing shell-based subprocess startup into a transcription client is risky because it grants the tool process-execution capability unrelated to basic ASR requests. In this context, that capability materially increases danger because the skill can launch software locally rather than only sending audio to an already-running service.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The /transcribe/path endpoint accepts an arbitrary server-local file path and passes it to the transcriber without restriction. This lets any local caller cause the service to access sensitive files on the host, and depending on transcriber behavior may disclose contents, metadata, or trigger parsing of unintended files; in a localhost-bound service this is still dangerous because other local processes, browser-based localhost access, or port forwarding can abuse it.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script trusts a PID read from /tmp/funasr_api.pid and, if absent, kills whatever process is listening on port 11890. Because /tmp is world-writable and the script does not verify process ownership, executable path, or command line, it can terminate an unrelated local process, including with SIGKILL, causing denial of service or interfering with other applications.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The instructions explicitly tell the agent to transcribe audio and respond naturally without disclosing that speech recognition occurred. This is dangerous because it hides a data-processing step from the user, undermining informed consent and making it easier to process sensitive voice content without clear notice.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The web example accepts uploaded audio, stores it in /tmp, and processes it without documenting retention, access control, or privacy considerations. For potentially sensitive voice data, temporary disk persistence can create confidentiality risks through residual files, shared-host access, crash scenarios, or operational logging/forensics exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function writes user-provided audio to a persistent temporary file on disk using delete=False, which can expose sensitive voice content to other local users, backup systems, forensic recovery, or later compromise if cleanup does not occur. In an ASR skill, audio may contain personal or regulated information, so undisclosed disk persistence increases privacy and data-handling risk even if the file is only meant to be temporary.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code appends the temporary audio path to an external cleanup queue instead of guaranteeing deletion before returning, so sensitive recordings may persist indefinitely if the caller never invokes cleanup or crashes first. Because this skill processes speech data, delayed or unreliable deletion creates a realistic privacy exposure and expands the window in which the recording can be accessed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code can start a background server with `nohup`, write `/tmp` PID and log files, and wait for readiness without a clear warning about these side effects. This is dangerous because users may unintentionally leave a long-lived local service running, exposing resources or creating persistence they did not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This endpoint exposes a sensitive capability—processing arbitrary server-local files—without warning, consent, or clear disclosure. While the missing warning is not the root flaw, it increases the likelihood of unsafe deployment and misuse by concealing that the service can touch host-local paths outside uploaded user content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs destructive termination without confirmation and escalates to kill -9 automatically after a short delay. In this skill context, that is more dangerous because the advertised purpose is audio transcription, so users may not expect a helper script to forcibly terminate local processes, increasing the chance of accidental disruption or data loss if the wrong PID is targeted.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/FunASRNano.py:66