The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses child_process.spawn to execute python3 -m yt_dlp for downloading video content. Arguments are passed as an array rather than a single string, which is a secure implementation that prevents shell injection attacks.
[EXTERNAL_DOWNLOADS]: The skill downloads video media from URLs specified in a manifest using the legitimate yt-dlp utility. It also fetches transcription outputs and subtitle artifacts from the vendor's official cloud endpoints during the transcription process.
[CREDENTIALS_UNSAFE]: Authentication for the transcription service is managed via a session token (cliSessionToken) stored in the user's local configuration file (config.json) within the standard OS config directory. This represents standard and acceptable practice for persistent CLI authentication with a vendor platform.
[DATA_EXFILTRATION]: Media files and transcription job metadata are transmitted to the author's official infrastructure (PostPlus Cloud) for processing. This network communication is inherent to the skill's primary purpose and targets the vendor's own verified services.
[PROMPT_INJECTION]: The skill ingests transcription data derived from external video and audio sources. This represents an indirect prompt injection surface as untrusted text extracted from the media (e.g., spoken instructions) enters the agent's context. Current processing lacks specific boundary markers or sanitization for this content, though it is a characteristic of transcription tasks.

video-transcription