The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses subprocess.run to call ffmpeg for audio format conversion. It passes arguments as a list rather than a shell string, which is a secure practice that prevents shell injection vulnerabilities.- [CREDENTIALS_UNSAFE]: The script reads Matrix credentials from a local .env file in the user's home directory. This is a standard and safe method for local CLI tools to handle user-provided secrets without hardcoding them in the source code.- [EXTERNAL_DOWNLOADS]: The script downloads machine learning models from Hugging Face using the onnx-asr and huggingface_hub libraries. Hugging Face is a well-known and trusted service for AI model distribution.- [DATA_EXFILTRATION]: Transcribed text is optionally sent to a Matrix server. The destination server and authentication tokens are retrieved from the user's own environment configuration, ensuring that data flow is directed to user-controlled infrastructure.- [SAFE]: The script performs logging to /tmp/stt_matrix.log. While this exposes metadata (such as Matrix room IDs) to other users on the same local system, it does not leak sensitive credentials or private keys.

ez-stt