youtube-transcript-extract

SUSPICIOUS: the stated purpose is benign and data flows appear limited, but the skill relies on an unpinned third-party `npx` execution with unclear provenance and uses wildcard activation broader than necessary. Main risk is supply-chain trust, not confirmed malware.