speech-to-text

This Skill is functionally coherent: it documents installing the inference.sh CLI and using it to run hosted Whisper models for transcription. However, it instructs the user to execute a remote install script via curl|sh (download-and-execute) and to run a third-party CLI that will transmit audio and credentials to inference.sh infrastructure. The documentation references transitive skill installation via npx, which increases the attack surface. I assess the package as suspicious from a supply-chain perspective (not confirmed malware): the main risks are download-execute installer, credential forwarding to a third-party service, and transitive installation of additional skills. Users who require strong trust or offline/local-only transcription should avoid the curl|sh install and hosted service calls or verify checksums and host binaries from trusted sources.