speech-to-text

The skill aligns with a speech-to-text transcription tool using Whisper models via an external CLI. However, there are notable security concerns: the installation method relies on curl | sh from an external domain, and the core binaries are fetched from a separate domain without transparent, independently verifiable provenance beyond checksums. This introduces supply-chain risk even with checksum verification. Data flows for media URLs are expected and appropriate, but the external download/install pattern and unverifiable binaries justify elevated caution. Overall, the footprint is conceptually coherent with the stated purpose but remains suspicious due to the delivery/installation approach and external binary provenance.