wispr-analytics
Warn
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads highly sensitive personal data from the Wispr Flow SQLite database at
~/Library/Application Support/Wispr Flow/flow.sqlite. This file contains the complete history of the user's voice dictations, including full transcripts, timestamps, and the applications where dictation occurred. While the skill is intended for local analytics, the exposure of such broad personal data to an AI agent is a high-sensitivity operation.- [COMMAND_EXECUTION]: The scriptscripts/wispr_dictionary.pyexecutes thepgrepsystem command usingsubprocess.runto check if the Wispr Flow application is active before performing database modifications. This is a functional requirement for data safety but represents an execution of local system commands.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted text data (user dictations) from the local database viascripts/extract_wispr.pyand interpolates this content into prompts for LLM analysis without sufficient isolation. - Ingestion points: Reads from
flow.sqlite(dictation history) inscripts/extract_wispr.py. - Boundary markers: None. The extracted text samples are passed to the LLM context for qualitative analysis without delimiters or instructions to disregard embedded commands.
- Capability inventory:
scripts/wispr_dictionary.pyhas capabilities to modify the local SQLite database and execute subprocesses;scripts/extract_wispr.pycan write to the local file system. - Sanitization: No filtering, escaping, or validation is performed on the
formattedTextorasrTextfields before they are provided to the LLM for analysis.
Audit Metadata