mlx-whisper
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
mlx-whisperPython package and downloads pre-trained weights from the Hugging Facemlx-communityorganization. These are legitimate resources within the Apple Silicon machine learning ecosystem. - [PROMPT_INJECTION]: The skill processes external audio data which, when transcribed, could contain instructions designed to influence the agent (Indirect Prompt Injection surface). • Ingestion points: Audio file content via
mlx_whisper.transcribe. • Boundary markers: Absent. • Capability inventory: Local file system read access for audio files and local Python code execution. • Sanitization: Absent. - [SAFE]: No evidence of obfuscation, data exfiltration, credential harvesting, or unauthorized privilege escalation was found. The skill's operations are consistent with its stated purpose.
Audit Metadata