ClawHub

Byted Las Asr Pro

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate speech-to-text skill, but its setup and background polling give it more local execution and persistence authority than users may expect.

Install only if you trust the Volcengine-hosted SDK download path and are comfortable with the skill changing a local virtual environment during initialization. Use least-privilege LAS credentials, do not paste long-lived secrets into chat, confirm cost and upload consent before submitting media, avoid detached background polling unless you can monitor and stop it, and treat generated transcripts, previews, presigned URLs, logs, and result files as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill directs the agent to execute shell commands (`source`, `ffprobe`, `lasutil`, background scripts) but does not declare shell permissions. Hidden execution capability undermines least-privilege review and can lead to unintended command execution or broader access than users expect. The workflow context makes this more concerning because it processes local files and credentials, so shell access materially expands risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The environment initialization script performs network retrieval of a remote manifest and uses that result to decide whether to self-update the SDK, which exceeds the narrowly declared ASR/transcription behavior of the skill. This creates a software supply-chain risk: anyone who can tamper with the remote host, manifest, or distribution path can cause unexpected code to be installed in the operator's environment during setup.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script automatically runs pip install --upgrade from a direct remote wheel URL during initialization, which allows execution of unreviewed package code as part of setup. Because this happens implicitly and outside the user's expected ASR workflow, it materially increases the chance of compromise from a malicious or replaced wheel and makes builds non-reproducible.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The description is broad enough to trigger on many generic requests involving recordings, media files, captions, meetings, or extraction of spoken content. Overbroad routing can cause the skill to activate in contexts the user did not intend, increasing the chance of unnecessary file handling, remote uploads, or credential requests. In this skill, that matters because activation leads directly into a workflow that asks for secrets and may upload data to external storage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to check for and request sensitive credentials such as `LAS_API_KEY`, `LAS_REGION`, and potentially `VOLCENGINE_ACCESS_KEY`/`VOLCENGINE_SECRET_KEY` without a clear user-facing privacy and handling warning. This can normalize collecting cloud secrets in chat or local files and increases the risk of credential exposure, misuse, or persistence beyond the intended task. The context raises the risk because these credentials can grant access to paid APIs and storage resources.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow tells the agent to upload local input files to TOS and optionally upload generated transcripts for download, but it does not require an explicit privacy or consent warning about sending potentially sensitive audio and transcript content to remote storage. Audio recordings and transcripts often contain personal, confidential, or regulated data, so silent upload materially increases privacy and compliance risk. This skill's use cases—meetings, interviews, call-center audio, phone calls—make the data sensitivity especially high.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script fetches a manifest over the network and may install software from a remote URL without a clear warning or confirmation, so operators may trigger code-fetching and code-installation just by sourcing the setup script. In the context of an ASR skill, this is more dangerous because remote package management is not essential to the advertised functionality and is therefore unexpected hidden behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script renders the first 500 bytes of transcript content directly into the generated Markdown output with no warning, masking, or access-control consideration. In an ASR skill, transcripts commonly contain sensitive personal, business, or regulated information, so automatically surfacing preview text increases the chance of unintended disclosure through logs, reports, or shared artifacts.

Credential Access

High
Category
Privilege Escalation
Content
# 加载环境
if [ -f "${PROJECT_ROOT}/.env" ]; then
  source "${PROJECT_ROOT}/.env"
  export LAS_API_KEY LAS_REGION
fi
Confidence
85% confidence
Finding
.env"

Session Persistence

Medium
Category
Rogue Agent
Content
**使用优化的后台轮询脚本(动态间隔 + 自动提取结果)**:
```bash
mkdir -p "./output/{task_id}"
./scripts/poll_background.sh {task_id} "./output/{task_id}" & disown
```
脚本特性:
- **动态间隔**:前 5 次 30s,5-10 次 60s,10 次后 120s,减少不必要轮询
Confidence
88% confidence
Finding
disown

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal