Faster Whisper Local Service

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it installs a local speech-to-text service, with persistence and downloads clearly disclosed.

Before installing, be comfortable with a local Python environment, package/model downloads, disk usage for Whisper models, and a background user service that keeps running until disabled. Review the documented paths and uninstall commands, and keep GStreamer and Python dependencies updated.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script writes a Python server file and a persistent systemd user service, then enables and starts it, without any user-facing disclosure or confirmation. In an agent skill context, silently creating files and installing background persistence is security-relevant because it changes the host state in a durable way and can surprise users or bypass informed consent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script performs pip-based network installation of faster-whisper without explicit disclosure to the user. Even though package installation is expected for deployment, silent dependency fetches introduce supply-chain and environment-modification risk, especially in an automated skill where users may not realize code will be downloaded and executed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal