Back to skill

Security audit

Faster Whisper

Security checks across malware telemetry and agentic risk

Overview

This transcription skill does not look intentionally harmful, but it needs Review because it can fetch remote media and persistently change its own runtime dependency.

Install only if you are comfortable giving this skill access to local media files, generated transcript outputs, outbound downloads from user-provided URLs or feeds, and optional HuggingFace credentials. Avoid using the --update feature in normal runs; update dependencies through a controlled package-management process instead, and run remote-media transcription in a constrained workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

        try:
            subprocess.run(cmd, check=True, stderr=subprocess.DEVNULL if quiet else None)
            if not quiet:
                print(f"   💾 {out_file}", file=sys.stderr)
        except subprocess.CalledProcessError as e:
Confidence
78% confidence
Finding
subprocess.run(cmd, check=True, stderr=subprocess.DEVNULL if quiet else None)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if "--update" in sys.argv:
        _venv_python = _SCRIPT_DIR.parent / ".venv" / "bin" / "python"
        if shutil.which("uv"):
            subprocess.run(
                ["uv", "pip", "install", "--python", str(_venv_python), "--upgrade", "faster-whisper"],
                check=True,
            )
Confidence
98% confidence
Finding
subprocess.run( ["uv", "pip", "install", "--python", str(_venv_python), "--upgrade", "faster-whisper"], check=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
check=True,
            )
        else:
            subprocess.run(
                [str(_venv_python), "-m", "pip", "install", "--upgrade", "faster-whisper"],
                check=True,
            )
Confidence
98% confidence
Finding
subprocess.run( [str(_venv_python), "-m", "pip", "install", "--upgrade", "faster-whisper"], check=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill advertises and documents capabilities that imply shell execution, network fetching, environment/token use, and filesystem reads/writes, yet the metadata declares no corresponding permissions. This creates a trust and containment gap: an agent or reviewer may assume the skill is less privileged than it really is, increasing the chance of unintended execution with network or file side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior exceeds the stated description in several materially important ways, including remote RSS fetching, package updating, file modification/burn-in, speaker-audio export, and additional transformation features. This mismatch can mislead operators about the true attack surface and side effects, making risky capabilities available under a seemingly narrower 'local speech-to-text' label.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill adds RSS feed fetching and episode discovery capabilities beyond the stated local transcription use case, expanding it into remote content retrieval. This broadens the trust boundary by causing network access and processing of arbitrary external media without clear manifest disclosure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The CLI includes self-update behavior that modifies the execution environment and downloads code, which is outside the expected scope of a transcription skill. In an agent context this is dangerous because reviewed code can effectively replace itself or its dependencies after deployment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A self-updating installation path is not justified by the stated purpose and materially increases supply-chain exposure. It allows runtime package changes that can introduce unreviewed code and undermine reproducibility and security review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill supports URL/YouTube and RSS ingestion with automatic downloading of remote content, but it does not prominently warn that using these features initiates outbound network access and may expose user-supplied URLs, tokens, IP metadata, or downloaded content to third-party services. In a local-processing skill, users may reasonably expect offline behavior unless warned otherwise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill includes multiple options that create, overwrite, or modify files, including transcript outputs, chapter files, subtitle burn-in outputs, temp-file retention, stats files, and exported speaker audio, without a consolidated warning about filesystem side effects. This can lead to accidental data creation, overwrites, leakage of sensitive transcriptions, or unintended modification of media workflows.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill can contact external services via URL download and RSS fetching, but the manifest emphasizes local speech-to-text and does not clearly warn about network access. This can surprise users, leak access patterns or target URLs, and expand the attack surface by pulling untrusted remote media.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The HuggingFace token provided by the user is copied into process environment variables without explicit disclosure of credential handling. Environment variables can be inherited by child processes and may be exposed through diagnostics or other libraries, increasing the chance of accidental credential leakage.

Unvalidated Output Injection

High
Category
Output Handling
Content
print(f"🎬 Burning subtitles into {output_path}...", file=sys.stderr)
            subprocess.run(cmd, check=True)
        else:
            subprocess.run(cmd, check=True, capture_output=True)
        if not quiet:
            print(f"✅ Burned: {output_path}", file=sys.stderr)
    except subprocess.CalledProcessError as e:
Confidence
88% confidence
Finding
subprocess.run(cmd, check=True, capture_output

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core dependency — PyTorch installed separately by setup script (with CUDA if GPU detected)
faster-whisper>=1.2.1
Confidence
93% confidence
Finding
faster-whisper>=1.2.1

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.