ClawHub

Audio Intelligence

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate Gladia audio-processing helper, but it handles highly sensitive audio and transcript data without enough privacy, consent, and retention guidance.

Review this skill before installing if you plan to process meetings, calls, customer support audio, medical/legal/financial conversations, or other sensitive recordings. Confirm Gladia's retention, deletion, compliance, and data-processing terms, obtain required participant consent, avoid unnecessary analysis features, and treat transcripts, summaries, sentiment, and extracted entities as sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly guides use of privacy-sensitive capabilities such as PII redaction, translation, summarization, and audio-to-LLM, all of which require sending audio and derived transcript data to an external provider, but it provides no warning to obtain consent, avoid unnecessary disclosure, or validate whether sensitive data may be transmitted. This is dangerous because users may process regulated, confidential, or personal conversations under the false assumption that redaction alone eliminates privacy risk, even though raw audio/transcript content must typically be uploaded before those features can operate.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This documentation encourages enabling live translation, sentiment analysis, and named entity recognition on spoken content without any privacy or consent warning. Those features process and expose potentially sensitive personal data in real time, and omitting guidance on notice, consent, minimization, and secure handling increases the chance of unsafe deployment in production systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The post-processing section documents summarization and chapterization of entire live sessions without warning that full-session content is analyzed and that derived outputs may preserve or amplify sensitive information. This can lead users to process meetings, calls, or support conversations without considering data retention, secondary use, or disclosure risks in the generated summaries and chapter metadata.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal