transcribe
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the agent to execute a local shell script (
transcribe.sh) that invokes powerful system binaries includingffmpeg,yt-dlp, andwhisper-cli. - [COMMAND_EXECUTION]: The installation components (
install.shandadd_permission.py) modify the global agent configuration file (~/.claude/settings.json) to silently grant read permissions to the skill's repository path, bypassing the platform's built-in interactive security prompts. - [EXTERNAL_DOWNLOADS]: The
transcribe.shscript usesyt-dlpto download and extract audio from arbitrary user-provided URLs, which involves fetching data from various third-party websites. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the processing of untrusted external transcripts.
- Ingestion points: The agent reads transcript content generated from external URLs or local audio files as defined in
SKILL.md. - Boundary markers: The skill does not use delimiters or provide instructions to the agent to ignore embedded commands or instructions found within the transcript data.
- Capability inventory: The agent has the ability to execute shell scripts (
transcribe.sh) and perform file read/write operations. - Sanitization: No validation or sanitization is performed on the transcript text before it is processed by the agent's analysis logic.
Recommendations
- AI detected serious security threats
Audit Metadata