asr

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward cloud speech-to-text skill, but users should understand that chosen audio is sent to SkillBoss for transcription.

Install this only if you are comfortable sending selected audio files or URL-fetched media to SkillBoss for processing. Avoid confidential, regulated, or internal recordings unless SkillBoss terms, retention practices, and your organization’s policies allow it, and keep the API key protected.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly encourages transcription of local files and remote URLs using an external API service, but it does not warn users that the referenced content will be transmitted off-host to a third party. This creates a real privacy and data-handling risk because users or downstream agents may upload sensitive audio, embedded personal data, or internal-only URLs without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script uploads full audio content and metadata to a third-party API during normal execution, but it does not present a clear runtime warning or confirmation when the transmission occurs. This creates a privacy and data-handling risk because users may process sensitive recordings without an explicit point-of-use notice that the data leaves the local system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal