Back to skill

Security audit

Speech To Text

Security checks across malware telemetry and agentic risk

Overview

The skill appears aligned with speech-to-text work, but users should treat it as an external transcription service and be careful with sensitive media.

Install only if you are comfortable using inference.sh for transcription. Prefer the manual/checksum-verified CLI install path when possible, and do not submit confidential, regulated, or private recordings unless you understand the service’s data handling terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very generic phrases such as 'transcription', 'whisper', 'audio to text', and 'subtitles generation', which are likely to match broad user intent and can cause this skill to be invoked when users did not explicitly intend to send media to an external transcription service. Because the skill processes user-supplied audio/video URLs through a third-party CLI/service, overbroad activation increases the chance of unintended data disclosure or accidental external processing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explains how to submit audio/video URLs to inference.sh but does not warn users that referenced media and transcription content will be transmitted to an external service for processing. In a speech-to-text context, inputs often contain sensitive conversations, meetings, interviews, or voice notes, so missing disclosure meaningfully increases privacy and compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.