Speech to Text Transcription

Security checks across malware telemetry and agentic risk

Overview

This is a coherent transcription helper with disclosed local storage and optional cloud uploads, but users should treat audio files and transcripts as sensitive.

Install only if you are comfortable with a local ~/speech-to-text-transcription/ folder storing transcription preferences and any transcripts you choose to save. Use local Whisper for sensitive recordings, confirm before sending audio to OpenAI, AssemblyAI, or Deepgram, and keep API keys in environment variables.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation guidance tells the agent to start helping whenever the skill directory is missing and to 'start helping the user naturally,' but it does not clearly limit when the skill should activate. That ambiguity can cause unsolicited handling of user files or assumptions about transcription intent, which is risky in a skill that may process sensitive audio or video content.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup instructs the skill to store user preferences and usage context in an internal memory file without requiring user notice or consent. Because these preferences can reveal workflow habits, language, and potentially sensitive context about recorded content, silent persistence creates a privacy and retention risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal