Back to skill

Security audit

MOSI Transcribe Diarize 多说话人转写

Security checks across malware telemetry and agentic risk

Overview

This is a coherent transcription skill that sends user-selected audio to MOSI Studio and saves transcript files locally.

Install this only if you intend to use MOSI Studio for transcription. Use a dedicated revocable API key, submit only recordings or URLs you are allowed to share with MOSI, and choose an output location suitable for sensitive meeting or interview transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description explains how to submit URL, local file, or Base64 audio for transcription, but it does not clearly warn that the audio content will be transmitted to an external service at studio.mosi.cn. Because audio may contain sensitive personal, business, or regulated information, missing this disclosure can cause users to unknowingly exfiltrate confidential data to a third party.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends full audio content, which may contain sensitive conversations or personal data, to an external HTTPS service without an explicit runtime notice or consent prompt. In a transcription skill, external transmission is expected, but the lack of clear disclosure increases privacy and compliance risk because users may not realize local files or base64 audio are uploaded off-host.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The tool writes transcript outputs and speaker-separated text to disk by default, which can expose sensitive meeting or interview content to other local users, backups, or downstream processes if operators do not expect persistent storage. In this skill's context, saving results is core behavior, but the absence of clear disclosure and safer defaults creates a real confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.