youtube-transcript

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] supply_chain: Installation of third-party script detected (SC006) [AITech 9.1.4] The code implements a legitimate and useful workflow to fetch YouTube transcripts using yt-dlp and optionally transcribe with Whisper. I found no explicit malware, credential harvesting, or backdoor behavior in the provided script. The primary security concerns are supply-chain and execution risks due to unpinned, unverified installs (pip/apt/brew) and the download-execute pattern. The interactive prompts mitigate some risk but do not eliminate issues for automated execution. Use with caution: verify sources, prefer isolated environments (virtualenv/containers), and avoid disabling certificate checks. LLM verification: This skill's behavior is consistent with its stated purpose (download subtitles and transcribe audio). It does not contain direct malicious code or exfiltration routines. However, it includes multiple supply-chain risk patterns: unpinned pip installs, automated install instructions that perform network downloads and local execution (yt-dlp and whisper), and a suggestion to use --no-check-certificate as a fallback. These increase the security risk to users running the workflow. Recommended mitiga