youtube-transcript-extract

SUSPICIOUS: the skill’s purpose is coherent, but it relies on an unpinned third-party npm CLI executed with `npx -y`, and the exact package/provenance could not be clearly verified from the evidence. No credential access or obvious malicious data routing is present, so this looks more like a supply-chain trust problem than a malicious transcript extractor.