ClawHub

Iflytek Speed Transcription

Security checks across malware telemetry and agentic risk

Overview

This skill uploads user-selected audio to iFLYTEK for transcription, which matches its stated purpose and is not hidden.

Install only if you are comfortable sending selected audio files to iFLYTEK for processing under that provider's terms. Avoid confidential, regulated, or third-party recordings unless you have the necessary permission and organizational approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states the external upload and processing endpoints but does not clearly warn users that their audio content is transmitted to a third-party service for storage and transcription. Because audio often contains sensitive personal, medical, financial, or meeting data, this omission can lead users to disclose regulated or confidential information without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill does not clearly warn that user audio will be uploaded to a third-party transcription provider. Because audio may contain highly sensitive personal, medical, legal, or business information, failing to disclose external transmission creates a meaningful privacy and consent risk in this skill’s context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool uploads user audio to an external third-party transcription service without an explicit warning or consent prompt at the point of use. In this skill context, audio may contain sensitive conversations, PII, or regulated content, so silent transmission to a remote provider creates a real privacy and compliance risk even if the network call is intentional.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal