Oathe Security Badge

Is jftuga/transcript-critic safe?

https://github.com/jftuga/transcript-critic

91
SAFE

This skill appears to be a legitimate tool for transcribing and analyzing audio/video content from files or URLs. It includes shell scripts that execute external tools and modifies Claude's configuration for permissions, but does so transparently for its stated purpose.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Shell Script Execution -15

The skill includes shell scripts (transcribe.sh, install.sh) that execute external tools including ffmpeg, yt-dlp, and whisper.cpp. While this is legitimate functionality for the stated purpose, it involves code execution that could be risky if those external tools have vulnerabilities.

LOW Configuration File Modification -5

The add_permission.py script modifies Claude's configuration file to grant read permissions. While transparent about its purpose, this involves modifying system configuration.

LOW URL Download Functionality -15

The skill downloads content from arbitrary URLs using yt-dlp, which could potentially be misused to download malicious content or expose the user's IP address to external sites. However, this is legitimate functionality for transcribing online videos.