Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
MAI Transcribe
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward Azure Speech transcription skill that uploads only the user-selected audio file and writes the transcript locally.
Install only if you are comfortable using an Azure Speech key and sending selected audio recordings to Microsoft/Azure for processing. Avoid confidential, regulated, or private recordings unless your Azure data handling requirements allow it, and verify the endpoint is your own Speech resource.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Missing User Warnings
Low
- Confidence
- 87% confidence
- Finding
- The code performs an HTTP POST to the Azure Speech service and includes the full audio file in the request body. While the tool's purpose is transcription, this file itself provides no explicit disclosure at the point of execution that local audio content will be uploaded to an external service.
VirusTotal
66/66 vendors flagged this skill as clean.