Back to skill

Security audit

Whisper Local Api

Security checks across malware telemetry and agentic risk

Overview

This local transcription skill is coherent, but it needs review because it installs unpinned external code and overstates its offline/privacy protections.

Install only if you are comfortable trusting and reviewing the external backend repository and its dependencies. Prefer pinning the backend to a known commit, keep the service bound to localhost unless remote access is intentional, add firewall/authentication before exposing it, and do not set WHISPER_API_URL or WHISPER_REPO_URL to hosts you do not trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation markets the service as '100% Offline & Private' with 'Zero cloud dependencies,' yet the workflow includes a bootstrap/install step that would commonly fetch packages, binaries, or models from external sources. This can mislead users into making security or privacy decisions based on inaccurate assumptions about network access and external dependencies.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
Stating that the API 'securely binds locally to 0.0.0.0' is incorrect and dangerous because `0.0.0.0` exposes the service on all network interfaces, not just localhost. In this context, an unauthenticated OpenAI-compatible transcription endpoint could become reachable by other machines on the LAN or internet if firewalling is weak or the host is exposed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The bootstrap script pulls executable code from a remote GitHub repository and then later installs its Python dependencies without pinning to a trusted commit, tag, or verified artifact. That creates a software supply-chain risk: if the repository, default branch, or transport path is compromised, a user running the bootstrap script may execute attacker-controlled code despite the skill being marketed as secure and offline.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The script presents dependency installation as 'secure' and declares the result 'Safe to run' even though it has just installed packages and fetched code from unverified remote sources. These assurances can mislead operators into trusting the environment and suppress normal scrutiny, increasing the likelihood that a supply-chain compromise or unsafe dependency execution will succeed unnoticed.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script explicitly claims the transcription is 'private' and 'offline', but the request target is configurable through WHISPER_API_URL and may point to a remote host. This can cause users to unknowingly upload sensitive audio to an external service, creating a confidentiality risk through misleading security assurances rather than through code execution.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is marketed as a secure offline local Whisper endpoint, yet this smoke test supports exfiltrating audio to any configured endpoint via WHISPER_API_URL. In this context, the mismatch is security-relevant because users may rely on the offline/privacy promise when testing sensitive voice data and unknowingly send it off-device.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.