Asr Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real local speech-to-text skill, but it exposes a network-facing audio service with under-scoped endpoints and weak deployment safeguards.

Install only in a controlled environment. Bind the service to 127.0.0.1 or firewall it, add authentication or signed webhook validation before exposure, review and patch dependency versions, and avoid sending sensitive voice recordings unless you understand local storage, transcript handling, and downstream model forwarding.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (24)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documentation describes a simple speech-to-text skill, but the analyzed behavior indicates additional HTTP endpoints, webhook handling, forced alignment, and timestamp/segmentation features that are not disclosed. Undocumented network-facing functionality expands the attack surface and can lead operators to expose services or data flows they did not intend to trust.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The uninstall section includes destructive `rm -rf` commands but does not clearly warn about irreversible data loss or instruct users to verify paths before running them. In installation documentation, shell commands are often copied verbatim, so even intended cleanup steps can cause accidental deletion if paths are modified, expanded unexpectedly, or executed from the wrong context.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README explicitly states that user voice messages are automatically transcribed and then forwarded to the language model, but it does not disclose how audio/transcripts are handled, stored, retained, or protected. Because voice data can contain sensitive personal information and biometric characteristics, the lack of a privacy/data-handling warning can lead to unsafe deployment and uninformed user consent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code accepts audio_input as a path or URL and passes it to the model without validating or restricting remote fetch behavior. If the underlying library resolves URLs, an attacker could trigger unintended outbound network requests, potentially enabling SSRF-style access to internal resources, metadata endpoints, or privacy-impacting remote retrieval without user awareness.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The manifest explicitly supports audio upload and transcription, including file and base64 input, but provides no warning that voice recordings may contain highly sensitive personal, biometric, or confidential information. This is a real security/privacy issue because users may submit sensitive speech data without understanding retention, exposure, or handling risks, especially in a networked service context.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill is configured to listen on 0.0.0.0:3000, which exposes the transcription service on all network interfaces, yet the manifest does not warn users about network accessibility or access-control expectations. In context, this is more dangerous because the service accepts audio input and may process sensitive speech data; an unintentionally exposed endpoint could allow unauthorized use, data disclosure, or abuse.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The code accepts audio input as a path or URL and passes it directly into the model stack without any validation, allowlisting, or user-facing disclosure. If downstream libraries resolve remote URLs, this can enable server-side request forgery, unintended network access, or silent transmission of user-supplied data to external hosts, which is more concerning in a skill advertised as simple speech-to-text.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Python 依赖（极简版 - 仅 0.6B 模型） torch>=2.0.0 qwen-asr>=0.0.6 transformers>=4.37.0 sentencepiece>=0.1.99
Confidence: 93% confidence
Finding: torch>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Python 依赖（极简版 - 仅 0.6B 模型） torch>=2.0.0 qwen-asr>=0.0.6 transformers>=4.37.0 sentencepiece>=0.1.99 protobuf>=4.25.0
Confidence: 90% confidence
Finding: qwen-asr>=0.0.6

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Python 依赖（极简版 - 仅 0.6B 模型） torch>=2.0.0 qwen-asr>=0.0.6 transformers>=4.37.0 sentencepiece>=0.1.99 protobuf>=4.25.0 numpy>=1.24.0
Confidence: 94% confidence
Finding: transformers>=4.37.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: torch>=2.0.0 qwen-asr>=0.0.6 transformers>=4.37.0 sentencepiece>=0.1.99 protobuf>=4.25.0 numpy>=1.24.0
Confidence: 89% confidence
Finding: sentencepiece>=0.1.99

Unpinned Dependencies

Low

Category: Supply Chain
Content: qwen-asr>=0.0.6 transformers>=4.37.0 sentencepiece>=0.1.99 protobuf>=4.25.0 numpy>=1.24.0
Confidence: 93% confidence
Finding: protobuf>=4.25.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: transformers>=4.37.0 sentencepiece>=0.1.99 protobuf>=4.25.0 numpy>=1.24.0
Confidence: 88% confidence
Finding: numpy>=1.24.0

Known Vulnerable Dependency: express==4.18.2 — 2 advisory(ies): CVE-2024-43796 (express vulnerable to XSS via response.redirect()); CVE-2024-29041 (Express.js Open Redirect in malformed URLs)

Low

Category: Supply Chain
Confidence: 83% confidence
Finding: express==4.18.2

Known Vulnerable Dependency: multer==1.4.5-lts.1 — 7 advisory(ies): CVE-2025-47935 (Multer vulnerable to Denial of Service via memory leaks from unclosed streams); CVE-2025-47944 (Multer vulnerable to Denial of Service from maliciously crafted requests); CVE-2026-3520 (Multer Vulnerable to Denial of Service via Uncontrolled Recursion) +4 more

High

Category: Supply Chain
Confidence: 96% confidence
Finding: multer==1.4.5-lts.1

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via proto Key in mergeConfig) +7 more

High

Category: Supply Chain
Confidence: 91% confidence
Finding: axios==1.6.0

Known Vulnerable Dependency: express==4.18.2 — 2 advisory(ies): CVE-2024-43796 (express vulnerable to XSS via response.redirect()); CVE-2024-29041 (Express.js Open Redirect in malformed URLs)

Low

Category: Supply Chain
Confidence: 89% confidence
Finding: express==4.18.2

Known Vulnerable Dependency: multer==1.4.5-lts.1 — 7 advisory(ies): CVE-2025-47935 (Multer vulnerable to Denial of Service via memory leaks from unclosed streams); CVE-2025-47944 (Multer vulnerable to Denial of Service from maliciously crafted requests); CVE-2026-3520 (Multer Vulnerable to Denial of Service via Uncontrolled Recursion) +4 more

High

Category: Supply Chain
Confidence: 97% confidence
Finding: multer==1.4.5-lts.1

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via proto Key in mergeConfig) +7 more

High

Category: Supply Chain
Confidence: 91% confidence
Finding: axios==1.6.0

Known Vulnerable Dependency: torch — 10 advisory(ies): CVE-2025-2953 (PyTorch susceptible to local Denial of Service); CVE-2022-45907 (PyTorch vulnerable to arbitrary code execution); CVE-2025-32434 (PyTorch: `torch.load` with `weights_only=True` leads to remote code execution) +7 more

Critical

Category: Supply Chain
Confidence: 95% confidence
Finding: torch

Known Vulnerable Dependency: transformers — 10 advisory(ies): CVE-2023-2800 (transformers has Insecure Temporary File); CVE-2025-3933 (Transformers is vulnerable to ReDoS attack through its DonutProcessor class); CVE-2024-3568 (Transformers Deserialization of Untrusted Data vulnerability) +7 more

Critical

Category: Supply Chain
Confidence: 94% confidence
Finding: transformers

Known Vulnerable Dependency: sentencepiece — 1 advisory(ies): CVE-2026-1260 (Sentencepiece has a a heap overflow issue)

High

Category: Supply Chain
Confidence: 84% confidence
Finding: sentencepiece

Known Vulnerable Dependency: protobuf — 7 advisory(ies): CVE-2026-0994 (protobuf affected by a JSON recursion depth bypass); CVE-2022-1941 (protobuf-cpp and protobuf-python have potential Denial of Service issue); CVE-2025-4565 (protobuf-python has a potential Denial of Service issue) +4 more

Critical

Category: Supply Chain
Confidence: 94% confidence
Finding: protobuf

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical

Category: Supply Chain
Confidence: 87% confidence
Finding: numpy

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal