video-to-subtitle-summary

The skill’s main behavior matches its stated purpose, and its core dependencies/endpoints are largely legitimate. However, it is not fully benign: it reads raw credentials from shell config files and routes user data through a third-party aggregator (TikHub) plus ByteDance’s speech API. Overall this is coherent but moderately risky due to credential handling and external data flows, so the skill is best classified as suspicious rather than malicious.