Back to skill

Security audit

ifly-speed-transcription

Security checks across malware telemetry and agentic risk

Overview

This is a coherent transcription skill that uploads a user-chosen MP3 file to iFLYTEK/XFYUN using user-provided API credentials, with some documentation and privacy-disclosure gaps but no hidden or destructive behavior found.

Install or use this only if you are comfortable sending the selected audio file, and possibly its filename/path in multipart metadata, to iFLYTEK/XFYUN. Use scoped API keys, avoid uploading recordings containing confidential or regulated information without consent, and treat the WAV/PCM claims as unreliable because the script currently supports MP3 only.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill appears to use environment variables, network access, and file writing, but no permissions are declared to make those capabilities explicit. This creates a transparency and governance problem: users and platforms cannot accurately assess what the skill will access, and sensitive audio or credentials may be handled without clear consent boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior materially overstates supported formats and automatic language detection compared with the implemented behavior. This is dangerous because users may submit unsupported files or rely on privacy/accuracy assumptions that are false, causing failed processing, misleading outputs, or accidental disclosure when users retry or convert data unnecessarily for an external service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not clearly warn that user audio will be uploaded to iFLYTEK, a third-party external service. Because audio files may contain sensitive personal, medical, legal, or business information, failing to disclose external transmission undermines informed consent and can lead to serious privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tool uploads local audio content to a third-party transcription service without any explicit user-facing warning at the point of transmission. In a skill context, users may assume processing is local; this can lead to unintended disclosure of sensitive conversations, personal data, regulated information, or confidential recordings to an external provider.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.