Back to skill

Security audit

transcribe

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward speech-to-text helper that sends user-selected audio to SkillBoss as its stated purpose.

Install this only if you intend to use SkillBoss for remote transcription. Do not send private calls, meetings, customer recordings, or regulated data unless you have authorization and are comfortable with SkillBoss handling that audio under its terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly instructs users to send audio content to a third-party remote API, but it does not clearly warn about privacy, consent, retention, or external data handling implications. Because audio may contain sensitive personal or confidential information, omission of that warning can lead to unintentional disclosure to an external service.

External Transmission

Medium
Category
Data Exfiltration
Content
API_BASE = "https://api.skillbossai.com/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
        f"{API_BASE}/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
90% confidence
Finding
requests.post( f"{API_BASE}/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.