DeepGram Speech platform

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Deepgram transcription guide; the main user consideration is that audio and a locally stored Deepgram API key are involved.

Before installing, verify that @deepgram/cli is the official package, protect the locally stored API key, and only transcribe audio you are authorized to send to Deepgram, especially for confidential, personal, or regulated recordings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documents multiple input paths for audio, including local files, remote URLs, STDIN, and live microphone, but does not disclose that the content is sent to Deepgram's external service for transcription. This omission can cause users to submit sensitive or regulated audio under the mistaken assumption that processing is local, increasing the risk of unintended data exposure and privacy/compliance violations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal