HN Podcast Archive

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed podcast archiving tool that downloads user-selected feed audio, runs local transcription, and writes archive files to a chosen output folder.

Install ffmpeg, whisper, and feedparser from trusted sources, run the script first with --limit and a dedicated output directory, and only schedule the cron-style automation after confirming the feed and disk usage are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "--output_dir", str(transcripts_dir), ] subprocess.run(cmd, check=True) if not expected.exists(): raise FileNotFoundError(f"Whisper did not produce expected transcript: {expected}") return expected
Confidence: 70% confidence
Finding: subprocess.run(cmd, check=True)

Unpinned Dependencies

Low

Category: Supply Chain
Content: feedparser>=6.0.0
Confidence: 50% confidence
Finding: feedparser>=6.0.0

Known Vulnerable Dependency: feedparser — 10 advisory(ies): CVE-2011-1157 (feedparser Cross-site Scripting vulnerability); CVE-2009-5065 (feedparser Cross-site Scripting vulnerability); CVE-2011-1158 (feedparser Cross-site Scripting vulnerability) +7 more

High

Category: Supply Chain
Confidence: 80% confidence
Finding: feedparser

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal