Back to skill

Security audit

Jetson CUDA Voice

Security checks across malware telemetry and agentic risk

Overview

This is a powerful voice-assistant skill, but it exposes secrets and gives cloud services and home-automation controls more access than its “offline” framing suggests.

Install only after rotating/removing the exposed keys, confirming you are comfortable with voice audio and prompts leaving the device, using HTTPS or trusted local-only endpoints for Home Assistant and the gateway, and restricting the Home Assistant token to only the devices/actions this assistant should control. Treat the biometric enrollment files as sensitive and do not enable persistent listening in shared spaces without clear consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (34)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
wf.setnchannels(1); wf.setsampwidth(2); wf.setframerate(rate)
        wf.writeframes(pcm.tobytes())
    # Kill any lingering mpg123 before aplay takes the device
    subprocess.run(['pkill', '-x', 'mpg123'], capture_output=True)
    time.sleep(0.05)
    _aplay(buf.getvalue(), wait=True)
Confidence
70% confidence
Finding
subprocess.run(['pkill', '-x', 'mpg123'], capture_output=True)

Tainted flow: 'GROQ_API_KEY' from os.environ.get (line 54, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
log.warning(f"Could not save last command WAV: {e}")
        
        # Call Groq API
        resp = requests.post(
            "https://api.groq.com/openai/v1/audio/transcriptions",
            headers={"Authorization": f"Bearer {GROQ_API_KEY}"},
            files={"file": ("audio.wav", wav_io, "audio/wav")},
Confidence
99% confidence
Finding
resp = requests.post( "https://api.groq.com/openai/v1/audio/transcriptions", headers={"Authorization": f"Bearer {GROQ_API_KEY}"}, files={"file": ("audio.wav

Tainted flow: 'gateway_url' from os.environ.get (line 592, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
)

    try:
        resp = requests.post(
            f"{gateway_url}/tools/invoke",
            headers={
                "Authorization": f"Bearer {gateway_token}",
Confidence
97% confidence
Finding
resp = requests.post( f"{gateway_url}/tools/invoke", headers={ "Authorization": f"Bearer {gateway_token}", "Content-Type": "application/

Tainted flow: 'url' from os.environ.get (line 726, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
# Call HA API
        url = f"{HA_URL}/api/services/{service}"
        resp = requests.post(
            url,
            headers={"Authorization": f"Bearer {HA_TOKEN}",
                     "Content-Type": "application/json"},
Confidence
96% confidence
Finding
resp = requests.post( url, headers={"Authorization": f"Bearer {HA_TOKEN}", "Content-Type": "application/json"}, json=data,

Tainted flow: 'data' from requests.post (line 618, network input) → requests.post (network output)

Medium
Category
Data Flow
Content
# Call HA API
        url = f"{HA_URL}/api/services/{service}"
        resp = requests.post(
            url,
            headers={"Authorization": f"Bearer {HA_TOKEN}",
                     "Content-Type": "application/json"},
Confidence
88% confidence
Finding
resp = requests.post( url, headers={"Authorization": f"Bearer {HA_TOKEN}", "Content-Type": "application/json"}, json=data,

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises capabilities that include environment access, file I/O, network, and shell execution, but it declares no permissions or equivalent trust boundary information. That mismatch prevents informed consent and proper sandboxing, increasing the chance that secrets, local files, or system resources are accessed more broadly than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description frames the skill as an offline local voice pipeline, but the documented behavior includes multiple cloud and gateway services, device control, web access, and biometric features. This is a material transparency failure: users may expose speech-derived data, credentials, and home-control functionality under the false assumption that processing stays local.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill is advertised as an offline Jetson voice pipeline, but the notes clearly route speech and prompts to third-party cloud services for STT, LLM, and primary TTS. This creates a material security and privacy mismatch: users or operators may believe voice data stays local when it is actually transmitted off-device, potentially exposing sensitive speech, commands, and household context.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The documented design extends beyond wake word detection, STT, and TTS into general LLM interaction and Home Assistant command execution. That expansion increases the attack surface substantially, because untrusted or misinterpreted spoken input can be converted into high-impact automation actions against the local environment.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document claims secrets are sourced from environment variables and not hardcoded, but later includes live-looking API keys directly in the file and test commands. Embedded credentials in documentation are a serious secret exposure risk because anyone with repository or artifact access can reuse them for unauthorized API usage, billing abuse, or pivoting into connected services.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script performs speaker biometric enrollment, which materially changes the privacy and security posture of the skill beyond the declared wake-word/STT/TTS scope. Hidden or under-disclosed biometric collection is dangerous because users and operators may deploy the skill without understanding that it captures and trains on voice identity data, creating consent, retention, and misuse risks.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The user-facing prompt openly advertises voice biometric enrollment even though the broader skill metadata describes only a voice pipeline. This mismatch increases the chance of deceptive deployment or inadequate review, because biometric functionality has different privacy, legal, and security implications than ordinary STT/TTS processing.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The verification function returns successful verification when no biometric model exists and also on verification errors, which defeats the purpose of authentication. An attacker or accidental system misconfiguration can bypass speaker verification simply by deleting the model file or triggering a load/parse error, leading to unauthorized access to voice-gated actions.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The script is presented as a component test for an offline voice pipeline, yet it explicitly validates cloud STT (Groq), cloud LLM access (Anthropic), and Home Assistant connectivity. This expands the skill's trust boundary and can cause credential use and network communication that a user would not reasonably expect from an 'offline' pipeline, increasing privacy and capability risk.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script reads Anthropic and Home Assistant credentials and then uses them to reach external or privileged local services, which is not justified by the stated offline voice-pipeline purpose. Accessing these secrets and capabilities broadens exposure to account misuse, device control, and unintended data disclosure if the script is run in a trusted environment.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comments and labeling describe local component testing, but the script later performs cloud API calls and Home Assistant endpoint checks. That mismatch can mislead operators into running code under a lower-risk assumption than warranted, undermining informed consent and safe review.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file advertises a fully offline voice pipeline, but the implementation sends audio to Groq and text conversations to OpenRouter. In a voice assistant context, that mismatch is dangerous because users may reasonably assume sensitive speech stays local when it is actually transmitted to third-party services.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The docstring repeatedly claims the pipeline is fully offline and that everything except Claude is local, yet the code performs multiple external API requests including remote transcription. This kind of deceptive or inaccurate disclosure can cause unintentional privacy breaches because operators may deploy it in environments where outbound transmission is prohibited.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The transcription function is documented as using a local VAD/Whisper flow, but the implementation hardcodes a remote Groq Whisper request. That discrepancy increases privacy risk because maintainers and users may not realize captured microphone audio is being uploaded externally.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The code embeds hardcoded external API credentials for Groq and OpenRouter directly in the source. Hardcoded secrets can be extracted by anyone with code access, abused for unauthorized API use, and often indicate careless handling of user audio and conversation data sent to third parties.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is marketed as an offline Jetson voice pipeline, but the implementation sends audio and text to Groq, uses Edge TTS, performs web search, and can forward requests to a gateway. This mismatch is security-relevant because it can mislead users into exposing voice data and home-control intents under false privacy assumptions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code harvests credentials from environment variables and unrelated local config files, expanding the trust boundary beyond what a basic voice pipeline requires. This increases the chance of accidental secret exposure and makes it harder for users to understand what local credentials the skill is accessing.

Intent-Code Divergence

High
Confidence
100% confidence
Finding
The docstring claims all API keys come from environment variables, but the code embeds a hardcoded Anthropic-style secret and also loads secrets from local config files. Hardcoded credentials are a severe secret-management failure because anyone with source access can recover and misuse the token, and users are misled about where secrets originate.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Describing the microphone as 'always listening' without an explicit privacy warning is risky because continuous ambient capture can collect sensitive conversations from users and bystanders. In a voice-assistant context this is especially important, as the skill is intended to run persistently and may be deployed in private spaces.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation mentions external LLM and gateway usage but does not explicitly warn that prompts derived from captured speech may be transmitted off-device. Given the skill's voice pipeline context, this can expose personal conversations, tokens, and household activity to third-party services without clear user awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
references/VOICE_PIPELINE_NOTES.md:269

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/voice_pipeline_v2.py:419