ClawHub

AssemblyAI Transcriber

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but users should understand that selected audio is sent to AssemblyAI for cloud transcription.

Install only if you are comfortable sending the audio files or audio URLs you choose to AssemblyAI under your API key. Avoid confidential, regulated, or third-party recordings unless you have permission and have reviewed AssemblyAI privacy, retention, compliance, and billing terms. Prefer an environment variable or a protected local config file for the API key, and confirm the exact audio path before asking an agent to run the script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README encourages users to submit audio files and Telegram voice messages to a third-party transcription provider, but it does not warn that potentially sensitive voice content will be transmitted off-device and processed externally. This can lead to inadvertent disclosure of personal, confidential, or regulated data, especially because voice messages and meetings commonly contain sensitive information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill prominently advertises transcription features but does not clearly disclose that local audio files and URL-provided audio will be uploaded to AssemblyAI, a third-party cloud provider, for processing. Users may unknowingly send sensitive meeting recordings, interviews, or voice messages off-device, creating privacy, confidentiality, and compliance risk.

Session Persistence

Medium
Category
Rogue Agent
Content
## Setup

1. Create AssemblyAI account: https://www.assemblyai.com/
2. Get API key (free tier: 100 min/month)
3. Set environment variable:
Confidence
87% confidence
Finding
Create AssemblyAI account: https://www.assemblyai.com/ 2. Get API key (free tier: 100 min/month) 3. Set environment variable: ```bash export ASSEMBLYAI_API_KEY="your-api-key" ``` Or save to config f

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal