youtube-transcript

The skill purpose (transcript extraction) is coherent with its described workflow. However, the install/custom binary distribution method (curl directly to a GitHub release without verification) introduces a non-trivial supply-chain risk and elevates the security profile to MEDIUM-HIGH. The data flow focuses on local storage with external calls only for retrieval via yt-dlp, which is expected for functionality. Overall, the footprint is mostly aligned with the stated purpose but the unverifiable binary install makes this skill SUSPICIOUS to HIGH risk without mitigations (checksum verification, pinning to official registries, or embedding the binary within a trusted bundle). Implementing verifiable installation (official registry, signed checksums) would move the risk toward Benign.