instagram-reels

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] Functionality is coherent with the stated purpose: download public reels, extract audio, and send it to Groq's transcription API. The primary risks are data-forwarding (user audio and any PII sent to Groq) and the guidance to export browser cookies (which can expose session credentials if mishandled). There are normal supply-chain risks from downloading audio URLs discovered by yt-dlp (if those URLs or metadata are tampered with they could deliver unexpected payloads), but the document does not include direct download-and-execute of remote code or obfuscated/malicious payloads. Overall the skill appears legitimate for its purpose but carries moderate operational/privacy risk that users should acknowledge (transmitting audio to an external service; careful handling of cookies). LLM verification: The skill implements the advertised functionality and contains no direct programmatic malware or backdoor behavior in the supplied documentation and snippets. The primary risks are operational and supply-chain in nature: unpinned third-party dependency installation (yt-dlp), reliance on user-exported browser cookies (sensitive), direct download of audio from metadata-provided CDN URLs without integrity checks, and temporary files in /tmp. These make the package a medium security risk for supply-