Back to skill

Security audit

Nex Voice

Security checks across malware telemetry and agentic risk

Overview

Nex Voice does what it claims, but users should understand that saved transcripts are local and optional LLM extraction can send transcript text to a configured provider.

Install only if you are comfortable storing recordings, transcripts, action items, exports, and possibly an API key under ~/.nex-voice. For local-only use, do not configure an API key and do not run --use-llm. If you enable LLM extraction, assume the full transcript is sent to the configured provider or custom endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, yet its documented behavior clearly requires shell execution, environment/config handling, and local file/database read-write operations. This mismatch weakens least-privilege controls and can cause the agent or reviewer to underestimate what the skill can access or modify.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This helper is advertised around local transcription/action extraction, yet when use_llm is enabled it transmits transcript contents to an external endpoint defined by api_base. In a voice-notes skill, transcripts often contain sensitive business or personal data, so broad outbound data flow materially changes the trust boundary and can expose confidential information to third parties or attacker-controlled endpoints.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger list contains broad natural-language terms such as 'transcribe', 'action item', and 'audio file' that can appear in many unrelated conversations. Overbroad invocation can cause the skill to activate unexpectedly and process sensitive local audio/transcript data or run commands when the user did not intend to use this skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function embeds the full transcript into the prompt and sends it to an external chat completions API, but this file contains no warning, consent gate, redaction, or minimization before transmission. Given the skill context claims local security for audio and transcripts, undisclosed export of transcript text is especially risky and likely to violate user expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API key is stored in config.json in plaintext via set_api_key() -> set() -> save(), which increases the chance of credential disclosure through local file access, backups, accidental sharing, or permissive filesystem permissions. In this skill's context, the key may authorize external LLM usage and billing, so compromise could expose sensitive transcript-derived data and incur account abuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The conversion routine forces overwrite with '-y' and writes to a deterministic filename in the source directory, so an existing file can be silently replaced. In a note-taking/transcription context, this can destroy prior recordings or derived artifacts without user awareness, causing integrity and availability loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The transcription flow writes transcript JSON to disk in the same directory as the audio file and only deletes it after reading, creating an undisclosed transient plaintext artifact. Because this skill handles potentially sensitive voice notes and meeting content, temporary on-disk transcript exposure increases privacy risk if other local users, backup systems, sync tools, or crash conditions capture the file before deletion.

Missing User Warnings

High
Confidence
96% confidence
Finding
When --use-llm is enabled, the code sends recording.transcript to an external API endpoint using configured api_base, api_key, and model settings, but provides no explicit warning, confirmation, or trust restriction around disclosure of potentially sensitive voice transcripts. In this skill's context, transcripts may contain meetings, reminders, names, deadlines, and business-sensitive content, so silent transfer to third-party or attacker-controlled endpoints materially increases confidentiality risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.