Local Transcription

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local transcription helper; it mentions extra local AI endpoints, but there is no evidence of hidden data collection, credential access, or destructive behavior.

Before installing, verify you trust the PyPI package and model installer sources, and check how the local router binds on your network. Only join devices you control or trust, and treat ~/.fleet-manager logs as potentially sensitive usage metadata.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is advertised as a local transcription capability, but it also documents access to unrelated LLM, image generation, and embedding endpoints on the same router. This broadens the effective capability surface exposed to an agent or user and can enable unintended use of higher-risk functions that were not part of the declared skill scope.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal