ClawHub

Free Groq Voice Recognition

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Groq audio transcription helper, but users should understand that their audio is uploaded to Groq and the setup guidance stores an API key in a local text file.

Install only if you are comfortable sending selected audio files to Groq for transcription. Avoid using it on confidential meetings or sensitive voice notes unless you have consent, keep the Groq API key out of version control, and do not run folder-wide transcription unless you have reviewed exactly which files will be uploaded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
64% confidence
Finding
The skill appears to instruct the agent to handle files, batch processing, proxy configuration, and local key storage, which implies shell or file-system capable behavior, yet no explicit permissions are declared. This creates a mismatch between documented capabilities and security boundaries, increasing the chance that the skill is invoked with broader access than users expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly tells users to place a live Groq API key in TOOLS.md but gives no warning about keeping that file out of version control, restricting permissions, or using a secret store. This creates a realistic risk of credential leakage through commits, screenshots, logs, or shared workspace files, which could let others use the API key and access the associated account resources.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The usage examples are broad enough that the skill could activate on generic requests like transcribing voice messages or processing all audio files in a folder, without clear scoping, confirmation, or exclusions. In practice, this can lead to overbroad file access and unintended transmission of sensitive audio to a third-party API.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The top-level description emphasizes 'free voice recognition' but does not clearly warn that audio content will be sent to Groq's external API for transcription. Users may reasonably assume local processing, causing accidental disclosure of confidential voice notes, meetings, or personal recordings.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the full audio file to Groq's external transcription API, but it provides no explicit runtime disclosure, consent prompt, or privacy warning to the user beyond comments in the source. This creates a real data exposure risk because users may unknowingly transmit sensitive voice content, credentials, meeting audio, or personal information to a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
**API Endpoint:**
```
https://api.groq.com/openai/v1/audio/transcriptions
```

**Model:** `whisper-large-v3` (OpenAI's most accurate model)
Confidence
88% confidence
Finding
https://api.groq.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal