The Agent Skills Directory

[SAFE]: No malicious patterns or security risks were detected. The skill's primary functionality is aligned with its documentation, and it operates with appropriate user confirmation for installation and large file processing.- [EXTERNAL_DOWNLOADS]: The skill installs well-known Python packages (faster-whisper, openai-whisper, tqdm, rich) through pip and downloads standard Whisper model weights from official repositories. It also references Homebrew for installing ffmpeg on macOS, which is a well-known and trusted service.- [COMMAND_EXECUTION]: Uses subprocess calls to execute local utilities like ffmpeg, ffprobe, claude, and gh. These calls use fixed argument lists and avoid shell execution, significantly reducing the risk of command injection.- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it processes untrusted audio transcripts and passes them to downstream LLM tools. Ingestion points: Audio data is transcribed to text in scripts/transcribe.py. Boundary markers: Uses --- separators and Transcrição: headers to delimit untrusted content. Capability inventory: Uses subprocess.run to call claude and gh tools and writes output to local Markdown files; it does not automatically execute LLM output as code. Sanitization: No specific sanitization or filtering of the transcript text is performed before LLM processing. This risk is categorized as low given the non-executable nature of the output.

audio-transcriber