Back to skill

Security audit

Xiaoyuzhou Asr

Security checks across malware telemetry and agentic risk

Overview

The skill matches its podcast transcription purpose, but it should be reviewed because it handles reusable account tokens through a configurable API server and stores them locally.

Install only if you intend to use a trusted xyz API service, preferably on localhost. Verify XYZ_BASE_URL before login or transcription, do not point it at a third-party server unless you trust it with your phone number, SMS code, access token, and refresh token, protect or delete ~/.xiaoyuzhou-asr.json when finished, and verify the ASR binary path before running.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [asr_bin, model_dir, str(wav_path)]
    print(f"  转录: {wav_path.name}...")
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=900)
    except subprocess.TimeoutExpired:
        raise TranscriptionError(f"转录超时 (900s): {wav_path.name}")
    if result.returncode != 0:
Confidence
81% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=900)

Tainted flow: 'req' from os.environ.get (line 904, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_SEC) as resp:
            return read_json_response(resp, f"API {endpoint}")
    except urllib.error.HTTPError as e:
        if e.code == 401 and _retry:
Confidence
84% confidence
Finding
with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_SEC) as resp:

Tainted flow: 'refresh_req' from os.environ.get (line 370, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json"},
                        method="POST",
                    )
                    with urllib.request.urlopen(refresh_req, timeout=HTTP_TIMEOUT_SEC) as resp:
                        result = read_json_response(resp, "刷新 token")
                    new_token = (result.get("data", {}).get("x-jike-access-token")
                                 or result.get("data", {}).get("token", ""))
Confidence
85% confidence
Finding
with urllib.request.urlopen(refresh_req, timeout=HTTP_TIMEOUT_SEC) as resp:

Missing User Warnings

Medium
Confidence
69% confidence
Finding
The README instructs users to provide tokens and use an external/local API service to fetch episode metadata and audio URLs, but it does not prominently warn about credential sensitivity, token storage, or trust boundaries for external data sources. In an agent skill context, this can lead users to expose access tokens or cause the agent to access/download remote content without sufficiently informed consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.