ClawHub

Speech is Cheap Transcribe

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward speech-to-text skill that sends chosen audio or audio URLs to Speech is Cheap, with privacy considerations users should understand.

Install this only if you are comfortable sending selected audio, media URLs, and related transcript data to Speech is Cheap. Keep SIC_API_KEY secret, expect API usage to affect your provider account, use --private for sensitive recordings, and only configure webhook URLs that you control and trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs users to upload local audio to a third-party endpoint and optionally send completion data to arbitrary webhook URLs, but it does not clearly warn that potentially sensitive audio and transcript metadata will leave the local environment. In an agent context, this increases the risk of unintentional exfiltration of private recordings, regulated data, or internal information to external services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uploads user-provided audio files or remote audio URLs to third-party Speech is Cheap endpoints without an explicit warning, confirmation, or consent gate at the point of transfer. Because audio may contain sensitive personal, business, or regulated information, silent transmission to an external processor creates a real privacy and data-handling risk in this skill context.

External Transmission

Medium
Category
Data Exfiltration
Content
}
EOF
)
            curl -s -X POST "$API_BASE/jobs/" \
                -H "Authorization: Bearer $SIC_API_KEY" \
                -H "Content-Type: application/json" \
                -d "$JSON_DATA"
Confidence
93% confidence
Finding
curl -s -X POST "$API_BASE/jobs/" \ -H "Authorization: Bearer $SIC_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal