Back to skill

Security audit

Groq Voice Transcribe

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Groq cloud transcription skill, with privacy-sensitive behavior that is disclosed and aligned with its purpose.

Install only if you are comfortable sending selected audio files to Groq for cloud transcription. Use a dedicated, revocable Groq API key, check Groq's privacy and retention terms for your use case, and avoid transcribing recordings that contain secrets or sensitive conversations unless that processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents execution of a local shell script (`{baseDir}/scripts/transcribe.sh`) but does not declare corresponding permissions. This creates a trust and review gap: an agent or user may authorize the skill based on incomplete metadata, while the skill still drives shell-capable behavior that can access local files and transmit audio to a remote API.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script uploads the provided audio file to Groq's external speech-to-text API, but it gives no user-facing disclosure, consent prompt, or privacy warning before transmitting potentially sensitive voice data off-device. In the context of an agent skill that may automatically process user voice messages, this creates a real privacy and data-handling risk because users may reasonably expect local processing or may not realize third-party cloud transmission is occurring.

External Transmission

Medium
Category
Data Exfiltration
Content
mkdir -p "$(dirname "$out")"

curl -sS https://api.groq.com/openai/v1/audio/transcriptions \
  -H "Authorization: Bearer $GROQ_API_KEY" \
  -H "Accept: application/json" \
  -F "file=@${in}" \
Confidence
92% confidence
Finding
https://api.groq.com/

Session Persistence

Medium
Category
Rogue Agent
Content
Get one from:

- https://console.groq.com/
- Sign in, open **API Keys**, then create a key

## Easiest setup in OpenClaw
Confidence
83% confidence
Finding
create a key ## Easiest setup in OpenClaw If OpenClaw is already running and configured, you can simply ask your assistant: - **"Configure Groq Voice Transcribe for me"** - **"Here is my Groq API k

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.