video-subtitles

The skill's stated purpose (generate and optionally burn subtitles, transcribe Hebrew/English, translate) aligns with the described capabilities. There are no overtly malicious behaviors in the documentation itself. However, supply-chain risks are present: an unfamiliar 'uv' installer, automated downloads of large unpinned models, and unclear model provenance (local model files vs remote API) introduce medium risk. Executing ffmpeg is expected but increases attack surface if shell invocations are implemented unsafely. Recommend requiring explicit, documented model download sources, checksum/signature verification, and clarity about whether audio is sent to remote APIs (and whether API keys are needed). Without the actual implementation code, I cannot confirm malicious content — treat this as a moderate supply-chain risk rather than confirmed malware.