ClawHub
Back to skill

Security audit

moss-transcribe-diarize

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward remote transcription skill, but users should treat uploaded audio as leaving their machine.

Install only if you trust the Mosi transcription service with the recordings you process. Avoid confidential, regulated, or third-party audio unless you have permission and understand the provider's handling; use a dedicated API key and choose output paths deliberately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to run a Python script that reads environment variables for API keys, accepts local file input, writes multiple output files, and makes outbound network requests, yet it declares no explicit permissions. This mismatch can undermine platform trust and consent controls because users and reviewers are not clearly informed that the skill can access secrets, local files, and the network.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script sends supplied audio, which may contain sensitive conversations or personal data, to a third-party remote transcription service without presenting an explicit runtime notice or consent checkpoint. In the context of a transcription skill handling meetings and interviews, this increases privacy and compliance risk because operators may process confidential recordings without realizing they leave the local environment.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.