Back to skill

Security audit

Local Audio2SRT

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for a local Audio2SRT app, but its generated backend is exposed too broadly for a local-only transcription tool.

Review before installing. Use a fresh dedicated directory and a virtual environment, expect npm/pip installs plus multi-GB ModelScope downloads, and only run the service on trusted networks unless you first change it to bind to 127.0.0.1, restrict CORS, and limit transcription inputs to uploaded files or an allowlisted directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The /api/transcribe endpoint accepts an arbitrary local file_path and only checks os.path.isfile(), allowing any client who can reach the service to cause the backend to open and process local files on the host. In this skill's context, the server binds to 0.0.0.0 with no authentication, which makes this more dangerous because remote users may access host files or trigger processing of unintended local resources.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The service exposes an unauthenticated translation API that accepts arbitrary text and invokes a local model, even though the skill is primarily a setup/deployment tool. Because the server listens on 0.0.0.0 and has no access controls, it can be abused by any reachable client for unauthorized compute consumption or as a general-purpose text-processing service.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger logic defaults to this skill for a broad request like '部署 audio2srt' even when the user did not clearly ask for local generation, package installation, model downloads, or service execution. That can cause the agent to select a more powerful skill than intended, leading to unanticipated filesystem changes, downloads, and process launches.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description does not prominently warn that execution will install Python and Node dependencies, download multi-gigabyte models, start local services on fixed ports, and potentially overwrite an existing directory. This is risky because users may consent to 'generate a project' without understanding the operational and system-modifying actions that follow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file instructs the agent to create directories, write a large set of files into TARGET_DIR, and change permissions on start.sh without requiring any confirmation or warning about overwriting existing content. In a code-generation/deployment skill, this can lead to unintended modification or replacement of user files if TARGET_DIR is mis-specified or already populated, making the risk operationally real even if not overtly malicious.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs network-affecting actions by installing the `modelscope` package with `pip3 install` and then downloading large model artifacts from ModelScope, but it does not present a clear upfront warning or require explicit user confirmation before doing so. In a local-deploy skill, users may reasonably expect local generation only; silently triggering package installation and remote downloads increases supply-chain exposure and can violate user expectations or restricted-environment policies.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.