飞书语音

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Feishu voice transcription, but it sends voice recordings to ElevenLabs with logging enabled and without clear consent or privacy guidance.

Install only if users understand that Feishu voice recordings may be sent to ElevenLabs for transcription. Use dedicated API credentials, avoid sensitive/private audio unless consent is clear, and prefer disabling provider logging or adding an explicit approval step before uploads.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs operators to upload user voice recordings to ElevenLabs for speech-to-text processing without any consent flow, privacy notice, retention discussion, or warning that third-party processing occurs. This creates a real privacy and compliance risk because potentially sensitive user audio is transmitted off-platform, and the query parameter enable_logging=true may further increase data exposure through provider-side logging.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal