Speech Notes

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent audio-to-notes helper, but users should treat recordings and transcripts as sensitive because they may be sent to external transcription providers and saved locally.

Before installing, confirm that you are comfortable sending audio to Feishu, Gemini, or Qwen/DashScope, and avoid using it for confidential or regulated recordings unless those providers are approved. Decide where raw transcript files should be stored and when they should be deleted, and verify any referenced local helper script before allowing it to run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs saving raw transcripts to a local file but provides no retention, access-control, or deletion guidance. Transcripts often contain sensitive business or personal speech content, so leaving them on disk can create unintended data exposure through shared environments, backups, or later compromise.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill sends user audio to multiple third-party transcription services (Feishu, Gemini, Qwen) without requiring a clear user notice or consent for external data transfer. Audio recordings may contain confidential meeting content, personal data, or regulated information, so silent transmission to external providers materially increases privacy, compliance, and data-governance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal