video-transcription

SUSPICIOUS: the stated purpose is coherent for transcription, but install/execution trust and data-flow integrity are incomplete. The main concern is opaque routing to a generic hosted transcription capability with non-official model names and unspecified shared scripts, which makes provenance and credential/data handling unverifiable from the skill text.

No clear evidence of intentional malware/backdoor behavior is present in this module alone. However, it provides powerful capabilities: it can read arbitrary local files (via resolved localFilePath) and write arbitrary files (via resolved outputPath) using remote-provided base64 content, with minimal validation/containment. If upstream callers or the bridge supply untrusted paths/urls/content, this can enable data exfiltration (upload) and unintended file overwrite or persistence-like impact (download).

SUSPICIOUS: the stated purpose is coherent for a transcription skill, but the actual external data flow is not auditable because the hosted provider endpoint, result URL domain, and shared release-shell rules are omitted. The skill appears proportionate in function, yet trust in execution and destination cannot be verified from the supplied material, so risk is medium rather than benign.