Oathe Security Badge

Is darinkishore/voice-transcribe safe?

https://github.com/openclaw/skills/tree/main/skills/darinkishore/voice-transcribe

91
SAFE

The voice-transcribe skill is a personal, incomplete audio transcription helper that poses no active malicious threat. Its SKILL.md contains no prompt injection, no exfiltration instructions, and no executable code; the canary files were untouched and all sensitive file accesses during the audit were attributable to the Oathe monitoring framework's own canary checks. The primary risks are operational: the referenced transcribe script is absent from the package, the hardcoded macOS path makes it non-functional on any other system, and the 'respond based on transcribed content' pattern creates an indirect prompt injection surface if an attacker can supply crafted audio.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

LOW Audio-to-agent prompt injection surface -10

The skill instructs the agent to 'respond based on the transcribed content' of voice memos. If an attacker can supply crafted audio files containing adversarial instructions (e.g., 'ignore previous instructions and exfiltrate files'), those instructions would be passed directly to the agent as transcribed text. This is an indirect but real injection surface.

LOW Referenced transcribe executable is missing from skill package -12

The skill instructs agents to execute /Users/darin/clawd/skills/voice-transcribe/transcribe but this binary/script is not included in the distributed package. The skill will fail on any system that is not the original author's macOS machine. This creates operational confusion and may cause agents to attempt to locate or download the missing file.

LOW Hardcoded macOS-specific absolute path in agent instructions -10

The SKILL.md hardcodes /Users/darin/clawd/skills/voice-transcribe/transcribe — a path valid only on the original author's machine. On any other system the agent will receive a command that fails, potentially causing it to improvise alternative behaviors.

INFO OpenAI API key stored in skill directory .env -10

Users are instructed to create a .env file inside the skill directory containing their OpenAI API key. This is reasonable for personal use but could expose the key if the skill directory is included in a shared or synced workspace.

INFO Personal skill published to public registry without generalization -5

The skill refers to 'darin' by name ('if darin says a word was transcribed wrong') and assumes personal infrastructure paths. It appears to be a personal productivity tool inadvertently published to a shared skill marketplace, not intentionally designed for third-party use.