mano-asr

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local speech-to-text setup guide, with privacy caveats around optional transcript echoing and cloud fallback.

Use the minimal local-only configuration if privacy matters. Install only if you trust the Mininglamp-AI Homebrew tap and local model downloads, avoid enabling OpenAI fallback unless you accept third-party processing, and enable transcript echoing only in chats where exposing recognized speech as text is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documented '混合配置' explicitly falls back to OpenAI transcription after a local attempt fails, which can send user audio or derived transcript content to a third-party cloud provider. Although presented as optional functionality, the skill does not prominently warn that this changes the privacy model from fully local/offline processing to external data disclosure, which is risky for users expecting offline-only handling.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The configuration example enables automatic transcript echoing, causing recognized speech to be sent back as plain text in the chat. This can expose sensitive spoken content, especially in shared devices, logged channels, group chats, or integrations where text is retained longer or is more visible than the original audio.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal