video-to-text

The skill aligns with its stated purpose of extracting video text and generating transcripts/subtitles, and uses conventional tools (yt-dlp, ffmpeg, Whisper) and standard local installation flows. However, several risk signals exist: handling of login cookies, a potential unverified binary download within a node_modules path, and a Web API surface that could become an external data sink if not properly secured. Overall, the footprint is plausible for its stated purpose but warrants cautious security review due to credential handling, potential supply-chain risk from the model download process, and the possibility of unintended data exfiltration via the Web API. Treat as SUSPICIOUS with MEDIUM-to-HIGH risk due to credential handling and unverifiable binary components, unless provenance of the model binaries and cookie handling are clearly secured and auditable.