ClawHub

Speech To Text

Security checks across malware telemetry and agentic risk

Overview

This is a coherent speech-to-text helper for inference.sh, with disclosed cloud processing and CLI setup risks that users should review before sending private audio.

Install the inference.sh CLI only if you trust the provider, and prefer the documented manual checksum verification path when possible. Review `infsh` commands before running them, and do not submit confidential, regulated, or private recordings unless inference.sh is approved for that data under your account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes several broad, everyday phrases such as "transcription" and "subtitles generation" that may cause the skill to activate in situations where the user did not explicitly intend to use this specific external service. In context, this is primarily a safety and UX issue rather than direct code execution, but unintended invocation could still lead to accidental data disclosure if users provide sensitive audio or URLs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation shows users supplying audio URLs to a remote transcription service but does not clearly warn that audio content and potentially sensitive speech data will be transmitted off-device to inference.sh-backed services. For a speech-to-text skill, this context makes the omission more significant because users may transcribe meetings, interviews, voice notes, or other confidential recordings without realizing they are being sent to a third party.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal