Back to skill

Security audit

Voice Transcriber Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local voice transcription skill with ordinary media-processing and dependency risks, not evidence of malicious behavior.

Install this only if you are comfortable installing ffmpeg and Python packages for local audio processing. Avoid pointing conversion outputs at important existing files, and use a sandbox or pinned dependency set if you need reproducible installs or are processing sensitive audio.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
convert_to_wav() can overwrite an arbitrary path because it accepts caller-controlled output_path and always passes ffmpeg the '-y' flag, suppressing confirmation. In an agent or automation context, this can destroy or replace local files unexpectedly, especially if the caller points output_path at sensitive or important locations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.