video-to-srt

Security checks across malware telemetry and agentic risk

Overview

This is a local subtitle generator whose dependency and model downloads are disclosed and fit its purpose.

Install this only if you are comfortable with a local Python virtual environment and transcription dependency/model downloads. Run it on media files you choose, and avoid --copy-next-to-input if you do not want the source folder modified or an existing matching .srt overwritten.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The wrapper automatically creates a virtual environment, upgrades pip, installs requirements, and then runs the transcription program without any user-visible confirmation. In a security-sensitive setting, this is risky because executing network-backed package installation as part of normal operation can surprise users, trigger unreviewed code download/execution, and expand the attack surface beyond simple local media processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal