speech2text

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its advertised speech-to-text job, with privacy caveats around local voice files.

Install only if you are comfortable with local voice messages being converted and transcribed into agent-readable text. Use trusted ffmpeg and Python package sources, and be aware that manual use without an attachment may process the newest inbound voice file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 72% confidence
Finding: Falling back to scanning a default inbound media directory means the skill may process the latest audio file even when the current request did not explicitly provide that file. In an agent context, this can cause unintended access to previously received user media and cross-message or cross-session data exposure, especially if multiple users or conversations share the same storage location.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal