Audio Handler

Security checks across malware telemetry and agentic risk

Overview

This is a local audio-processing skill whose main risk is accidentally overwriting chosen output files.

Install this if you want local audio utilities. Use trusted ffmpeg/ffprobe/jq installations, review commands before running them, and choose fresh output filenames because conversion, trimming, and normalization can replace existing files without prompting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger text is overly broad because it activates on generic mentions of audio files, paths with common audio extensions, or requests to process/convert audio without requiring clear user intent to invoke this specific skill. In an agent environment, broad matching can cause unintended skill activation and execution of file-processing commands on user-referenced content, increasing the chance of unauthorized or surprising actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script invokes ffmpeg with the '-y' flag, which unconditionally overwrites the destination file if it already exists. In an agent or automation context, this can cause silent data loss or destruction of prior outputs when the output path is user-controlled or accidentally reused.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal