live-stream-monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it should be reviewed because it can start microphone-based speech recognition while under-explaining privacy impact and advertising keyword alerts that are not implemented.

Install only if you are comfortable with a headed browser session using microphone-based speech recognition for the selected duration. Before trusting it, ask the publisher to add real keyword-alert logic, remove or clearly justify automatic media permission handling, and document exactly what audio is captured, where transcription occurs, and whether transcripts are stored or sent anywhere.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README promotes real-time speech transcription but does not clearly disclose the privacy implications of capturing audio, how microphone access is used, or whether audio/transcripts may be stored or transmitted. In a live-stream monitoring skill, users may assume only stream audio is processed, so omitting a warning can lead to uninformed consent and unintended collection of sensitive audio data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Listing microphone access as a requirement without a user-facing warning normalizes a sensitive permission without explaining its risks. Because this skill monitors external streams, requesting microphone access is contextually surprising and could expose nearby conversations or other unintended audio if users grant access without understanding the consequences.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger conditions are very broad, such as activating whenever a user wants live transcription or keyword monitoring, without clear guardrails, consent steps, or limitations on when microphone-based transcription should run. Overbroad activation increases the chance the skill is invoked in contexts where users do not expect live audio capture or where the requested monitoring scope is ambiguous.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that it requires microphone access and performs live speech transcription, but it does not include a prominent warning about privacy implications, such as capturing surrounding conversations or other unintended audio. In a streaming-monitoring context, that omission is dangerous because users may believe only the stream is processed when the browser permission model may expose broader local audio capture risks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal