transcript-fixer
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): Reading sensitive shell configuration files to search for credentials. Evidence: scripts/fix_transcript_enhanced.py (lines 42-100) contains find_glm_api_key() which reads ~/.zshrc, ~/.bashrc, .bash_profile, and .profile to extract API keys. This exposes the entire contents of these environment files to the script's memory.
- [REMOTE_CODE_EXECUTION] (HIGH): Recommendation and implementation of untrusted remote script execution via pipe. Evidence: SKILL.md and scripts/ensure_deps.py promote the command 'curl -LsSf https://astral.sh/uv/install.sh | sh'. This pattern is highly susceptible to source compromise or Man-In-The-Middle attacks.
- [COMMAND_EXECUTION] (MEDIUM): Execution of subprocesses and system handlers for script automation and file opening. Evidence: scripts/fix_transcript_enhanced.py uses subprocess.run to execute Python scripts and platform-specific handlers like 'open', 'xdg-open', or 'os.startfile' to launch a browser.
- [PROMPT_INJECTION] (LOW): Vulnerability to indirect prompt injection through untrusted data processing. Evidence: 1. Ingestion points: scripts/fix_transcription.py reads input files from disk. 2. Boundary markers: scripts/core/ai_processor.py uses simple bold headers for text separation but lacks 'ignore embedded instructions' directives. 3. Capability inventory: The skill can execute subprocesses and write to the filesystem. 4. Sanitization: No sanitization is performed on the transcript text before interpolation into the AI prompt.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata