speech-to-text

[Skill Scanner] Pipe-to-shell or eval pattern detected The package documentation and examples are consistent with a legitimate hosted transcription service using inference.sh and Whisper models. The primary security concerns are supply-chain and privacy risks: (1) executing a remote installer via curl | sh grants the remote domain code execution on clients; (2) the workflow centralizes user audio, transcripts, and authentication tokens to inference.sh endpoints, creating an exfiltration target if the service or installer is compromised; (3) wildcard tool permissions (infsh *) increase the potential for unintended actions. There is no direct evidence in the provided content of obfuscated or malicious code, hard-coded secrets, or backdoors — but a full assessment requires reviewing the installer script and CLI source and the service's handling of credentials and data. Recommend auditing the installer script and CLI code before running, minimizing credentials stored on the host, and avoiding uploading sensitive audio unless the service and its operators are trusted. LLM verification: The SKILL.md itself is consistent with a legitimate hosted transcription offering and does not contain overt malicious code in the provided text. However, it instructs users to run a remote 'curl | sh' installer and routes user audio and credentials to a third-party service without documented privacy/retention details. This creates a significant supply-chain and privacy risk: the installer and CLI are trust pivots that, if malicious or compromised, could exfiltrate audio, credentials, or install