Back to skill

Security audit

Deepgram Asr

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it sends a user-chosen audio file to Deepgram for transcription using the user's Deepgram API key.

Install only if you are comfortable sending chosen audio files to Deepgram for processing. Avoid confidential, regulated, or highly sensitive recordings unless your Deepgram account settings and data-processing terms fit your needs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script uploads the entire audio file to Deepgram, which is an external third-party service, but it does not provide any explicit user-facing consent or privacy warning at the point of transmission. In a transcription skill this behavior is expected, yet it still creates a real data exposure risk if users process sensitive recordings without realizing they leave the local environment.

External Transmission

Medium
Category
Data Exfiltration
Content
trap 'rm -f "$tmpfile"' EXIT

# Call API (-- prevents option injection from filenames starting with -)
http_code=$(curl -sS -w '%{http_code}' -o "$tmpfile" -- "$url" \
  -H "Authorization: Token $DEEPGRAM_API_KEY" \
  -H "Content-Type: ${mime}" \
  --data-binary "@${in}")
Confidence
96% confidence
Finding
curl -sS -w '%{http_code}' -o "$tmpfile" -- "$url" \ -H "Authorization: Token $DEEPGRAM_API_KEY" \ -H "Content-Type: ${mime}" \ --data-binary

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal