Voice To Text

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent offline voice transcription tool with disclosed dependency installs and no evidence of hidden data access or exfiltration.

Install only if you are comfortable installing ffmpeg and the vosk Python package and downloading Vosk model files. The skill processes the audio files you provide locally and reads models from ~/.vosk/models; verify that the chosen audio path is intentional and that you trust the model download source.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill instructs use of shell commands and environment variables but does not declare corresponding permissions or capabilities. That mismatch can bypass user/operator expectations and weaken policy enforcement, especially because the skill processes user-supplied file paths via a shell-invoked workflow.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The invocation description is broad enough to trigger on many common requests involving audio or transcription, which can cause the agent to select this skill unexpectedly. In a skill that runs local commands on supplied file paths, overbroad routing increases the chance of unintended execution and processing of files the user did not clearly consent to transcribe.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal