Back to skill

Security audit

Super-Transcribe — Unified Speech-to-Text

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate transcription tool, but it combines runtime package installation, arbitrary URL fetching, and a missing documented launcher that users should review before installing.

Install only if you are comfortable with a transcription skill creating local virtual environments, downloading ML packages/models, fetching user-provided URLs, and processing voice/audio content. Check the missing ./scripts/transcribe launcher issue before relying on it, avoid passing HuggingFace tokens on the command line when possible, and require explicit user intent before transcribing voice notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if "--update" in sys.argv:
        _venv_python = _SCRIPT_DIR.parent / ".venv" / "bin" / "python"
        if shutil.which("uv"):
            subprocess.run(
                [
                    "uv",
                    "pip",
Confidence
86% confidence
Finding
subprocess.run( [ "uv", "pip", "install", "--python", str(_venv_python),

subprocess module call

Medium
Category
Dangerous Code Execution
Content
check=True,
            )
        else:
            subprocess.run(
                [str(_venv_python), "-m", "pip", "install", "--upgrade", "faster-whisper"],
                check=True,
            )
Confidence
86% confidence
Finding
subprocess.run( [str(_venv_python), "-m", "pip", "install", "--upgrade", "faster-whisper"], check=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
            cmd = [python_exe, "-m", "pip", "install", package_name]

        subprocess.run(cmd, check=True, capture_output=quiet, text=True, timeout=300)

        if not quiet:
            print(f"✅ {package_name} installed successfully", file=sys.stderr)
Confidence
98% confidence
Finding
subprocess.run(cmd, check=True, capture_output=quiet, text=True, timeout=300)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("⬇️  Downloading audio from URL...", file=sys.stderr)

    try:
        subprocess.run(cmd, check=True, capture_output=quiet)
    except subprocess.CalledProcessError as e:
        print(f"Error downloading URL: {e}", file=sys.stderr)
        shutil.rmtree(tmpdir, ignore_errors=True)
Confidence
88% confidence
Finding
subprocess.run(cmd, check=True, capture_output=quiet)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
select_expr = "+".join(f"between(t,{s:.3f},{e:.3f})" for s, e in sp_ranges)

            try:
                subprocess.run(
                    [
                        "ffmpeg",
                        "-y",
Confidence
91% confidence
Finding
subprocess.run( [ "ffmpeg", "-y", "-i", effective_path,

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guidance is internally inconsistent: it says not to auto-transcribe every voice message, but the example instructs silent transcription of a voice note to infer unrelated user intent. This bypasses explicit consent for processing user audio and can leak sensitive spoken content into transcripts or logs even when the user did not ask for transcription.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Auto-installing `pyannote.audio` on first use gives the skill the ability to modify its environment and fetch code from external package sources during normal operation. In this context, that is beyond the stated transcription purpose and creates avoidable supply-chain and persistence risk if dependency resolution is abused or a package is compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Automatically installing Python packages into the current environment is dangerous in an agent skill because it permits runtime expansion of executable code beyond the reviewed skill contents. This can introduce malicious or typosquatted dependencies, execute package build/install hooks, and alter the host environment persistently, which is not necessary for ordinary transcription behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Downloading arbitrary remote media materially increases the attack surface compared with a local transcription utility. In an agent/server environment this can enable access to internal network resources, retrieval of sensitive URLs, processing of malicious files, and denial-of-service via oversized or slow remote responses.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The agent-oriented JSON formatter echoes file_path and output_path into a compact payload intended for agent/chatbot consumption. In a multi-tenant or user-facing context, this can disclose internal filesystem structure, usernames, mount points, or temporary working directories, which may aid reconnaissance and unintentionally leak sensitive environment details beyond the transcription result.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill will auto-install `pyannote.audio` at runtime if the dependency is missing, which introduces a software supply-chain risk and executes package installation as a side effect of normal processing. In an agent skill context, this is more dangerous because users may not expect network access, code download, dependency resolution, or arbitrary install-time behavior during transcription.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is broad enough that an orchestrator may route generic translation or media-related requests into this skill even when the user did not intend transcription. Over-broad invocation scope can trigger unnecessary media processing, network fetches, or local command execution on inputs that should have been handled by a narrower, safer path.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
Instructing the agent to transcribe voice messages silently without explicit user opt-in is a privacy and consent violation. Voice notes often contain sensitive personal, financial, or health information, and silently converting them to text creates durable, searchable artifacts that increase exposure and downstream misuse risk.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The code accepts a HuggingFace token on the command line and copies it into environment variables, increasing the exposure surface for credentials within the process and any child processes. While this is intended to support model access, there is no minimization, masking, or warning, so accidental leakage through process inspection, logs, or subprocess inheritance becomes more likely.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Automatic package installation without explicit user confirmation is unsafe in a security-sensitive agent environment because it silently changes the runtime, reaches out to external package sources, and may execute unreviewed code. This creates avoidable supply-chain and integrity risks beyond the core task of transcription.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill automatically downloads and processes remote audio/URL inputs without an explicit privacy or data-transfer warning. In an agent context, this can cause unanticipated outbound network requests, transmission of sensitive URLs or media, and exposure to SSRF-like or policy-violating behavior depending on what `download_url` permits.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script directly executes bundled child setup scripts with `bash "$FW_DIR/setup.sh"` and `bash "$PK_DIR/setup.sh"` without presenting an explicit warning or confirmation that additional code will run and may modify the environment. While this is expected in an installer, it increases supply-chain and transparency risk because users may not realize multiple installer scripts are being invoked transitively.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/backends/parakeet/transcribe.py:321