videodb-skills

This SKILL.md describes a high-capability video skill that requires installing third-party code via npx and pip and supplying an API key. The manifest itself does not contain code or explicit malicious payloads, but the operational footprint is high-risk: transitive installs, implicit download-and-execute setup, credential forwarding to an external service, and real-time screen/audio capture. These capabilities are plausible for the stated purpose (video upload, transcription, capture, and generation), but they are sensitive and should be treated as potentially dangerous without additional transparency: explicit network endpoints, least-privilege guidance for API keys, user-confirmation requirements for capture/upload, and a verifiable provenance/lockfile for the SDK and skill code. Recommend manual review of the video-db SDK source, inspection of post-install scripts, verification of the service endpoints, and restricting capture permissions and API keys to the minimum necessary before use.