Whisper Local Api

The skill is classified as suspicious due to a significant supply chain vulnerability. The `scripts/bootstrap.sh` file allows overriding the `WHISPER_REPO_URL` environment variable, which dictates the Git repository to clone and execute. If an attacker can control this variable, they could inject a malicious repository, leading to arbitrary code execution during the setup phase. Additionally, the `SKILL.md` indicates the service binds to `0.0.0.0` by default, which, while warned about, exposes the service on all network interfaces, increasing the attack surface if the host is not properly firewalled. There is a benign prompt injection instruction in `SKILL.md` ('Ask before any package-manager operations') which aims to enhance safety, not to cause harm.