ClawHub

Transcribee 🐝

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate transcription tool, but it sends media/transcripts to cloud services and lets AI-generated categorization control where transcript files are written without enough containment.

Review before installing. Use it only for media you are comfortable sending to ElevenLabs and Anthropic, and avoid sensitive local recordings unless provider processing is acceptable. The publisher should add clear privacy disclosure, declare required API keys, and validate the AI-generated category so outputs cannot escape the intended transcript folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill documentation indicates use of environment-based configuration (for example, an .env file for API errors) but does not declare any corresponding permission or capability boundary. This creates a transparency and consent problem: users and tooling may not realize the skill depends on secrets or environment data, which can lead to unintended access to API keys or other sensitive configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior understates the actual data access and processing scope: beyond simple transcription, the skill reportedly reads prior transcript libraries, performs automated classification, writes organized outputs under ~/Documents, stores rich metadata, and may use external LLM analysis. This mismatch is dangerous because users may grant or invoke the skill expecting narrow transcription only, while it can process additional local content and transmit or persist more data than anticipated.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation describes functionality beyond the stated skill scope: downloading from multiple social platforms and using Claude to categorize transcripts into a knowledge library. Scope expansion matters in agent skills because users and reviewers may authorize a simple transcription tool while the implementation also performs downstream AI analysis and persistent organization of content, increasing data exposure and behavioral surprise.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
AI-driven classification and organization of transcript content is a separate capability from transcription and introduces additional processing of potentially sensitive user data. In a skill advertised as transcription-only, this hidden semantic analysis increases privacy and authorization risk because transcript contents are being interpreted, categorized, and stored in a library without clear justification in the stated scope.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill's declared purpose is transcription of YouTube and local media, but the code also supports Instagram and arbitrary yt-dlp-supported URLs and performs post-processing classification with Anthropic. This capability mismatch can mislead users about what data sources are accepted and what external processing occurs, weakening informed consent and review boundaries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code recursively reads the user's entire transcript library, including metadata summaries and themes, to classify a new transcript. That exceeds a narrow transcription function and creates unnecessary access to unrelated historical data, increasing privacy exposure if the library contains sensitive transcripts.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill sends transcript content, source URL/path, title, and library context to Anthropic for thematic classification, which is an external-data-transfer and analysis feature not described in the stated transcription-only purpose. This can expose sensitive media contents and local file information to a third party without clear user expectation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file states that downloaded audio is sent to ElevenLabs for transcription and transcript content is sent to Claude for classification, but there is no user-facing privacy warning or consent language. This is dangerous because audio/video content and derived transcripts often contain personal, confidential, or copyrighted material, and transmitting them to third-party services materially changes the data handling and compliance posture of the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that media is downloaded and then sent to ElevenLabs for transcription, while transcript content is analyzed by Claude, but it does not prominently warn users that potentially sensitive audio and derived text are transmitted to third-party services. In a transcription skill, users may reasonably process private meetings, interviews, or local files, so missing privacy disclosure materially increases the risk of unintended data exposure.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill writes transcripts and metadata to ~/Documents/transcripts, but the description does not present this as an explicit user warning or consent point. Silent persistence of potentially sensitive transcript content and source metadata can expose private media contents to other local users, backup systems, indexing tools, or later unintended reuse.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Local media is uploaded to ElevenLabs for transcription, and the resulting transcript and context are sent to Anthropic, but the code contains no explicit warning, consent gate, or data-minimization step. In a transcription skill, users may reasonably expect processing of the selected file, but not necessarily silent transmission of contents and metadata to multiple external providers.

Ssd 4

Medium
Confidence
89% confidence
Finding
Untrusted transcript text is embedded directly into the LLM prompt that decides folder placement, so a transcript containing adversarial instructions can manipulate categorization output. While this is not direct code execution, it can cause integrity issues such as misfiling transcripts, creating attacker-chosen folder names, or steering the model to ignore the intended classification task.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "ISC",
    "packageManager": "pnpm@10.10.0",
    "dependencies": {
        "@anthropic-ai/sdk": "^0.67.0",
        "dotenv": "^16.5.0",
        "elevenlabs": "^1.57.0",
        "tsx": "^4.19.4"
Confidence
92% confidence
Finding
"@anthropic-ai/sdk": "^0.67.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"packageManager": "pnpm@10.10.0",
    "dependencies": {
        "@anthropic-ai/sdk": "^0.67.0",
        "dotenv": "^16.5.0",
        "elevenlabs": "^1.57.0",
        "tsx": "^4.19.4"
    },
Confidence
92% confidence
Finding
"dotenv": "^16.5.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
        "@anthropic-ai/sdk": "^0.67.0",
        "dotenv": "^16.5.0",
        "elevenlabs": "^1.57.0",
        "tsx": "^4.19.4"
    },
    "devDependencies": {
Confidence
92% confidence
Finding
"elevenlabs": "^1.57.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@anthropic-ai/sdk": "^0.67.0",
        "dotenv": "^16.5.0",
        "elevenlabs": "^1.57.0",
        "tsx": "^4.19.4"
    },
    "devDependencies": {
        "@types/node": "^22.15.12"
Confidence
86% confidence
Finding
"tsx": "^4.19.4"

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal