Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
vosk pytest
- Confidence
- 94% confidence
- Finding
- vosk
Voice2text
Security checks across malware telemetry and agentic risk
Overview
This skill appears to locally transcribe a user-provided WAV file and does not show hidden data access, persistence, or exfiltration behavior.
Install from trusted Python package sources, pin reviewed dependency versions where possible, and obtain the Vosk model from a trusted source. Treat any audio you provide as sensitive because its transcript will be returned into the agent session.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
vosk pytest
- Confidence
- 97% confidence
- Finding
- pytest
Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)
Low
- Category
- Supply Chain
- Confidence
- 86% confidence
- Finding
- pytest
VirusTotal
65/65 vendors flagged this skill as clean.