video-transcripts

SUSPICIOUS. The core purpose is coherent: fetch videos from GitHub/Linear and transcribe them with Google's Gemini API. However, the skill expands scope by harvesting auth from local cookie stores, `gh auth token`, and even `~/.bash_profile`, which is broader than a clean API-key-only transcript helper. Data flows go to official domains rather than an attacker proxy, so this is not clearly malicious, but the credential-handling and local secret discovery make it medium risk.