Subtitle Generator

Security checks across malware telemetry and agentic risk

Overview

This subtitle skill behaves like a normal SenseAudio integration, with expected privacy considerations because video audio is sent to an external transcription API.

Install only if you are comfortable sending the video's audio to SenseAudio for transcription and using your SenseAudio API key. Avoid confidential recordings unless permitted by your policies, keep the API key private, and choose fresh output filenames to avoid overwriting existing subtitle or video files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends extracted audio derived from user video to a third-party transcription service, but the description does not clearly warn users about this external data transfer. This creates a privacy and data-governance risk, especially if users process sensitive or confidential recordings without informed consent.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The skill documentation omits a clear warning that subtitle generation and optional burn-in create local artifacts and may overwrite output paths. While not severe, undocumented file creation can surprise users and cause accidental loss of local data if unsafe output filenames are chosen.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal