youtube-transcript

The skill is functionally coherent and its requested operations (downloading subtitles, optionally downloading audio and transcribing with Whisper) align with its stated purpose. It does not contain direct indicators of malware (no obfuscated payloads, no external exfiltration endpoints, no credential harvesting). However, it relies on installing and executing third-party software (yt-dlp, openai-whisper) from package registries without pinned versions or integrity verification — a supply-chain risk. The script also suggests insecure fallback (--no-check-certificate). Overall: usable but medium supply-chain/security risk. Recommend requiring explicit user consent before any package install, pinning package versions or verifying hashes, and removing suggestion to disable certificate checks.