transcription-speech-to-text-hebrew

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). This skill tells the agent to accept an API key provided in chat and write/replace it into textops_settings.json (and confirms the save), which requires the LLM to handle and embed the secret verbatim—an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly downloads and ingests untrusted, user-generated content from public sources (e.g., YouTube and arbitrary HTTP/HTTPS URLs via scripts/download_audio.py and scripts/transcribe.py, per SKILL.md Step 1/1.5) and the workflow explicitly reads filenames/titles and transcription output (on user request) and even uses filename/title cues to set processing flags (e.g., diarization), so external content can materially influence tool decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's version_check.py fetches runtime JSON from https://raw.githubusercontent.com/TextOps/textops-skills/main/transcription-speech-to-text-hebrew/version.json which directly controls whether the skill prints update/stop instructions, and the YouTube path (scripts/download_audio.py) can invoke pip to install and run yt-dlp (fetched from PyPI, e.g. https://pypi.org/project/yt-dlp/) at runtime, meaning external content is fetched during execution and can alter prompts or execute remote code.