video-stt

This skill largely does what it claims (downloads video audio and runs local Whisper transcription), but there are several red flags you should consider before using it: - The skill advertises cloud API support and shows environment variable names (OPENAI_API_KEY, etc.) in the README, but the provided scripts do not implement cloud transcription — the shell script will exit on --api. Do not export API keys solely because the docs mention them unless you inspect and trust updated code. - The scripts will attempt to install dependencies at runtime: they call Homebrew ('brew install') and install Python packages via 'uv pip install'. On non-macOS systems 'brew' may not exist and automatic installation may fail or be undesirable. Review and run installs manually in a controlled environment. - The bash script builds a python -c one-liner embedding variables (MODEL, FORMAT, OUTPUT_FILE, AUDIO_PATH) without robust escaping. If you (or an agent) pass untrusted values into those CLI arguments, there's a risk of shell/command injection. Prefer running the Python code from a file with properly passed arguments or sanitize inputs. - The skill will download arbitrary URLs you give it (via yt-dlp) and write audio/transcript files to the skill folder; only run it on content and URLs you trust and in a sandbox if possible. Recommendations: - Inspect the scripts locally, remove or modify the inline python -c usage to a safer invocation, and remove automatic 'brew install' calls or gate them with an explicit prompt. - If you need cloud transcription, either implement the API flow securely (and only then provide API keys) or avoid setting API keys. - Run this skill in a controlled environment (container or VM) the first time so you can observe its behavior and confirm it doesn't attempt unexpected network access or installs. Because of the documentation/code mismatches and the unsafe variable embedding, treat this skill with caution — useful but not turnkey-safe without review.