Back to skill

Security audit

subtitle-refiner

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do subtitle refinement as advertised, but it exposes API keys and subtitle contents in logs while sending transcript data to external services.

Review carefully before installing. Use only with subtitles you are comfortable sending to SiliconFlow and Feishu, and do not use it with confidential, regulated, customer, or internal meeting transcripts until the skill redacts API keys and suppresses raw request, response, and subtitle logging by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code prints the full bearer token, full prompts, subtitle contents, and complete JSON payloads to stderr. This can leak API credentials and potentially sensitive subtitle/transcript data into logs, CI output, agent traces, or monitoring systems, enabling credential theft and privacy breaches. The skill context makes this more dangerous because subtitles often contain private meeting, customer, or internal business content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly advertises automatic delivery of optimized subtitles via Feishu, which implies user content is transmitted to an external service. Because subtitles may contain sensitive meeting, personal, or proprietary information, failing to clearly warn users and obtain explicit consent creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states it uses a remote LLM API to analyze and refine subtitle files, meaning subtitle text is sent off-device to a third-party endpoint. Without an explicit privacy warning, consent flow, or data classification guidance, users may unknowingly upload confidential audio transcripts to an external processor.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description states that optimized subtitle files will be automatically sent to Feishu, but it does not clearly disclose this outbound transfer to the user at the point of use or require confirmation. Subtitles often contain sensitive meeting, customer, or internal content, so silent forwarding to a chat platform creates a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill processes subtitle content through an external model API, but the documentation does not clearly warn users that subtitle text will leave the local environment and be transmitted to SiliconFlow. This is dangerous because subtitle files may contain confidential or regulated content, and users cannot make an informed consent decision without clear disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The logging exposes the full API key and complete subtitle/request contents without redaction or user warning. Anyone with access to stderr, logs, build artifacts, or agent telemetry could recover secrets and sensitive transcript data, leading to account compromise and confidentiality loss. In an agent skill, such logs are often centrally collected, which increases blast radius.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends subtitle content to an external LLM service without any explicit warning, consent flow, or clear data-handling notice. Subtitles may contain sensitive personal, corporate, or regulated information, so silent off-box transmission creates privacy and compliance risk even if the destination service is legitimate. The context increases risk because the module is designed to process arbitrary user-provided transcript content.

External Transmission

Medium
Category
Data Exfiltration
Content
| 配置项 | 值 |
|--------|-----|
| Endpoint | `https://api.siliconflow.cn/v1/chat/completions` |
| 模型 | `Pro/zai-org/GLM-4.7` |

如需更换模型,编辑 [`scripts/refine.py`](scripts/refine.py) 中的配置:
Confidence
90% confidence
Finding
https://api.siliconflow.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
### API 配置

- **Endpoint**: `https://api.siliconflow.cn/v1/chat/completions`
- **主模型**: `Pro/zai-org/GLM-4.7`
- **API Key**: 从环境变量 `SILICONFLOW_API_KEY` 读取
- **如果用户没有填写API Key,提示**:
Confidence
90% confidence
Finding
https://api.siliconflow.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.