Scan Report
10 /100
audio-to-text-and-video-to-text
Transcribe audio and video files into text using OpenAI's Whisper API
Standard audio/video transcription skill with legitimate subprocess and API usage; no malicious behavior detected.
Safe to install
Pin pip dependencies to specific versions to mitigate supply chain risks. Otherwise safe to use.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Dependencies installed without version pinning Supply Chain | scripts/transcribe.py:103 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | scripts/transcribe.py reads media input and writes transcript output |
| Network | READ | READ | ✓ Aligned | scripts/transcribe.py calls OpenAI Whisper API only |
| Shell | WRITE | WRITE | ✓ Aligned | subprocess calls for ffmpeg and pip install are declared in SKILL.md |
| Environment | READ | READ | ✓ Aligned | Reads OPENAI_API_KEY from environment as documented |
2 findings
Medium External URL 外部 URL
https://platform.openai.com/api-keys SKILL.md:96 Medium External URL 外部 URL
https://ffmpeg.org/download.html scripts/transcribe.py:96 File Tree
4 files · 39.6 KB · 1152 lines Python 2f · 852L
Markdown 2f · 300L
├─
▾
scripts
│ └─
transcribe.py
Python
├─
▾
transcription
│ ├─
▾
scripts
│ │ └─
transcribe.py
Python
│ └─
SKILL.md
Markdown
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
openai | * | pip | No | Version not pinned |
pydub | * | pip | No | Version not pinned |
Security Positives
✓ All subprocess usage (ffmpeg, pip) is documented in SKILL.md
✓ API key is used only for Whisper API calls; not harvested or exfiltrated
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No obfuscation techniques (base64, eval, encoded commands)
✓ No persistence mechanisms (cron, startup hooks)
✓ No credential theft or data exfiltration
✓ No reverse shell or C2 communication
✓ No hidden instructions or prompt injection