ClawHub

asr-skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local audio/video transcription skill, with ordinary cautions about first-run downloads, background jobs, and local task logs.

Install only if you are comfortable with a local transcription tool that may download third-party ASR models/dependencies on first use. Use async mode deliberately because it starts a background worker, and delete .asr_skill/tasks.json if local media filenames or paths should not remain in task history. For higher assurance, verify or pin the missing asr_skill package/source before using it on sensitive media.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"-of", "default=noprint_wrappers=1:nokey=1", 
            str(file_path)
        ]
        result = subprocess.run(cmd, capture_output=True, text=True, check=True)
        return float(result.stdout.strip())
    except (subprocess.CalledProcessError, FileNotFoundError, ValueError):
        pass
Confidence
70% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]
        
        # Detach process
        subprocess.Popen(
            cmd,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
70% confidence
Finding
subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, start_new_session=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest and notes emphasize local ASR processing and privacy, which implies operation without external connectivity beyond expected local computation. However, the file explicitly says FFmpeg is auto-installed with an internet connection on first run and that models are downloaded, which materially expands behavior beyond purely local processing.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The natural-language description says the ASR model is "Paraformer-large (Chinese optimized)," which imposes a locale/language preference in the skill description. Because the file does not offer an explicit user opt-in or clearly document that the skill is only intended for Chinese-language transcription, this may violate language/locale policy requirements.

Missing User Warnings

Low
Confidence
84% confidence
Finding
This code creates a persistent .asr_skill/tasks.json file and stores input_file and output_dir values for every task. Although the script logs operational status, there is no user-facing warning in the CLI help, print output, or comments that task history containing local file paths will be retained on disk.

Unvalidated Output Injection

High
Category
Output Handling
Content
"-of", "default=noprint_wrappers=1:nokey=1", 
            str(file_path)
        ]
        result = subprocess.run(cmd, capture_output=True, text=True, check=True)
        return float(result.stdout.strip())
    except (subprocess.CalledProcessError, FileNotFoundError, ValueError):
        pass
Confidence
95% confidence
Finding
subprocess.run(cmd, capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal