Local Speech Recognition

Security checks across malware telemetry and agentic risk

Overview

This skill does local voice-message transcription as advertised, with no evidence of data theft or destructive behavior, but users should understand that qualifying audio may be transcribed into chat automatically.

Install this only if you want voice messages converted to text automatically. Be aware that first use may fetch a Whisper model or dependency, and do not let text transcribed from third-party audio act as instructions to the agent unless you trust the speaker.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The skill advertises that voice messages are 'automatically triggered' for transcription with broad file-type matching and no visible scoping, consent, or activation boundaries. In an agent environment, this can cause unintended processing of user content, surprise execution on untrusted attachments, and privacy exposure if sensitive audio is transcribed without explicit opt-in.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The usage section states that OpenClaw 'automatically calls the transcription script and injects the result into the conversation,' which implies unconditional execution and content injection. This is risky because any qualifying audio message may trigger local processing and automatic insertion of transcribed text, potentially exposing sensitive information or enabling prompt/content injection through transcribed audio.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal