ClawHub

asr

Security checks across malware telemetry and agentic risk

Overview

This skill performs user-requested speech transcription through a hosted SkillBoss/HeyBoss API, with privacy considerations but no evidence of hidden or unrelated behavior.

Install only if you are comfortable sending the audio files or URLs you choose to SkillBoss/HeyBoss for transcription using your API key. Avoid confidential, regulated, or internal-only recordings unless the provider's privacy, retention, billing, and security terms meet your requirements, and store the API key as a secret rather than committing it to source control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports transcribing remote URLs and local files, but it does not warn users that the referenced audio or uploaded file contents will be sent to an external third-party service. This can cause unintentional disclosure of sensitive audio, embedded personal data, or confidential files, especially in automated agent workflows where users may assume processing is local.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documentation instructs users to place an API key in an environment variable and .env/agent config, but it does not include any guidance about keeping credentials secret, avoiding commits to source control, or limiting key exposure in shared agent environments. In multi-user or CI environments, this omission can increase the risk of accidental credential leakage or misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The command sends user-supplied audio from a local file or downloaded URL to a third-party API, but there is no explicit disclosure or confirmation at execution time that the content will leave the local environment. In an ASR skill this transmission is expected functionally, but the lack of clear runtime notice increases privacy and data-handling risk, especially for sensitive audio.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal