Whisper Stt

Security checks across malware telemetry and agentic risk

Overview

The skill transcribes audio normally, but it also instructs automatic forwarding of transcripts to Feishu without clear destination or consent controls.

Install only if users understand that audio contents may be transcribed automatically and forwarded to Feishu. Before use with private, business, or regulated recordings, confirm the Feishu destination and require explicit approval or disable forwarding if possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill says it will automatically process any voice/audio file a user sends, without clear consent boundaries, source restrictions, or exclusion conditions. Broad auto-activation increases the chance of unintended processing of sensitive recordings and makes abuse or surprise activation more likely in normal chat workflows.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The description states that transcribed text will be sent to Feishu, but it does not clearly warn users that content derived from their audio will be transmitted onward. This creates a meaningful privacy and data-handling risk because users may reasonably expect transcription only, not secondary sharing of potentially sensitive speech content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal