Back to skill

Security audit

Azure Ai Transcription Py

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Azure speech-to-text helper, with expected use of an Azure key and audio transcription through Azure services.

Before installing, verify the Python package source, protect the Azure subscription key, and only transcribe audio or storage URLs you are authorized to send to Azure. Review Azure retention, logging, and compliance settings if the audio may contain sensitive information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes generic phrases such as "transcription" and "speech to text," which are broad enough to match ordinary user requests and cause unintended invocation of this skill. In a skill that can transmit user audio and referenced URLs to an external cloud provider, over-broad activation increases the chance of unexpected data handling and user confusion about where their content is being sent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documentation does not warn users that audio data and content URLs will be transmitted to Azure services for processing. Because transcription inputs may contain sensitive spoken content, metadata, or private storage links, the lack of disclosure can lead to inadvertent exposure of confidential information and uninformed consent to third-party processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.