Back to skill

Security audit

Transcribee 🐝

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real transcription tool, but it sends media and transcript data to cloud AI services and lets AI-generated folder names control local file placement without enough containment.

Review before installing. Use this only for media you are comfortable sending to ElevenLabs and Anthropic, and expect transcripts plus metadata to be stored in ~/Documents/transcripts. Avoid sensitive local recordings unless that cloud processing is acceptable. The publisher should add clear privacy disclosure, exact API-key requirements, and strict validation that AI-selected categories cannot contain path traversal or nested paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises external dependencies and references a `.env` file for API errors, but it does not declare permissions or clearly disclose environment-variable usage. Hidden access to secrets or configuration is risky because users and the platform cannot accurately assess what sensitive data the skill may require or expose.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially understates the skill's effective capabilities: persistent library reads/writes, richer metadata extraction, broader URL support, and transmission of transcript/library content to third parties. This is dangerous because users may invoke a seemingly simple transcription tool without understanding that it can collect, organize, and externally share substantially more data than described.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation describes capabilities beyond the skill's stated transcription purpose, including downloading from additional platforms and AI-driven knowledge-library categorization. This scope expansion increases the chance that users and reviewers will not understand what data is collected, where it is sent, or what actions the skill performs, creating a real trust and security boundary issue.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
AI-based classification and organization of transcripts into a knowledge library is a materially different function from transcription alone, and it requires reading existing library contents plus sending transcript-derived content to another model. That broadens data access and processing without clear justification from the declared skill purpose, making over-collection and unintended disclosure more likely.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill does more than transcription: it sends transcript content to Anthropic for classification and writes organized transcript archives under the user's Documents directory. This undisclosed secondary processing expands data exposure and persistence, especially for sensitive local or private media, and can violate user expectations around where content is sent and stored.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends transcript content to ElevenLabs for speech-to-text and sends transcript content plus library structure to Claude for categorization, but the description omits a privacy warning about these external transfers. Because transcripts may contain sensitive personal, business, or copyrighted content, users could unknowingly expose confidential data to third-party services.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The documented invocation is overly broad: asking an agent to 'transcribe any YouTube video' provides no constraints on permitted sources, privacy expectations, output handling, or confirmation before processing. In an agent setting, this can cause unintended exfiltration of private/local media or processing of sensitive URLs through external services without adequate user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explains setup and usage but does not clearly warn that media content and related metadata are transmitted to external providers (ElevenLabs and Anthropic) and that transcripts are persisted under ~/Documents/transcripts/. Users may unknowingly submit sensitive local recordings or private media, creating confidentiality and data-retention risks in an agent workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description does not warn that local media files or downloaded media from URLs are sent to ElevenLabs for transcription, which creates a meaningful privacy and data-handling risk. Users may provide sensitive recordings under the assumption processing is local, when in fact the content is transmitted to an external provider.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Local media selected by the user is uploaded to ElevenLabs for transcription, and the resulting transcript is then sent to Anthropic for classification, without any explicit warning or consent gate in the code path. This can expose private conversations, recordings, or confidential business material to third-party AI providers contrary to user expectations for a 'local file' workflow.

Ssd 1

High
Confidence
94% confidence
Finding
The prompt sent to Anthropic directly embeds untrusted transcript text plus stored library summaries, allowing spoken or previously-ingested content to influence the model's control flow and output. An attacker can craft audio containing instructions like path-selection payloads or JSON-shaping directives, causing misclassification, unsafe folder names, or corruption of the transcript library organization logic.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "ISC",
    "packageManager": "pnpm@10.10.0",
    "dependencies": {
        "@anthropic-ai/sdk": "^0.67.0",
        "dotenv": "^16.5.0",
        "elevenlabs": "^1.57.0",
        "tsx": "^4.19.4"
Confidence
96% confidence
Finding
"@anthropic-ai/sdk": "^0.67.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"packageManager": "pnpm@10.10.0",
    "dependencies": {
        "@anthropic-ai/sdk": "^0.67.0",
        "dotenv": "^16.5.0",
        "elevenlabs": "^1.57.0",
        "tsx": "^4.19.4"
    },
Confidence
96% confidence
Finding
"dotenv": "^16.5.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
        "@anthropic-ai/sdk": "^0.67.0",
        "dotenv": "^16.5.0",
        "elevenlabs": "^1.57.0",
        "tsx": "^4.19.4"
    },
    "devDependencies": {
Confidence
97% confidence
Finding
"elevenlabs": "^1.57.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@anthropic-ai/sdk": "^0.67.0",
        "dotenv": "^16.5.0",
        "elevenlabs": "^1.57.0",
        "tsx": "^4.19.4"
    },
    "devDependencies": {
        "@types/node": "^22.15.12"
Confidence
93% confidence
Finding
"tsx": "^4.19.4"

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.