Security audit

transcribe

Security checks across malware telemetry and agentic risk

Overview

This is a small transcription helper that sends a user-chosen audio file to SkillBoss using an API key, which matches its stated purpose.

Install only if you trust SkillBoss with the audio you choose to transcribe and with the SKILLBOSS_API_KEY. Avoid sending private, confidential, or regulated recordings unless you have reviewed SkillBoss's data handling and retention policies, and prefer a revocable scoped API key where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs users to base64-encode an audio file and send it to a third-party API for transcription, but it does not provide any warning about privacy, retention, consent, or handling of potentially sensitive voice data. Because audio may contain personal, confidential, or regulated information, omitting disclosure can lead to unsafe use and unintended data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.