parakeet
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill instructs the use of 'uvx parakeet-mlx', which fetches and runs a package from PyPI at runtime. Since PyPI is not a trusted repository under the [TRUST-SCOPE-RULE], this constitutes unverified remote code execution.\n- [External Downloads] (LOW): The skill downloads a ~2.5GB model file. Although Hugging Face is a trusted organization, the download of unverified large binary assets is a noted risk factor. Finding is downgraded per [TRUST-SCOPE-RULE].\n- [Indirect Prompt Injection] (LOW): The skill possesses an indirect injection surface (Category 8) by processing untrusted audio files. The severity is low because the skill produces text output (SRT/TXT) rather than using the content for downstream decision-making or command execution.\n- [Command Execution] (LOW): The skill utilizes local subprocess calls for utilities such as 'ffmpeg', 'awk', and 'grep' to perform audio conversion and text processing.
Audit Metadata