扫描报告
10 /100
audio-to-text-and-video-to-text
Transcribe audio and video files into text using OpenAI's Whisper API
Standard audio/video transcription skill with legitimate subprocess and API usage; no malicious behavior detected.
可以安装
Pin pip dependencies to specific versions to mitigate supply chain risks. Otherwise safe to use.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Dependencies installed without version pinning 供应链 | scripts/transcribe.py:103 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | scripts/transcribe.py reads media input and writes transcript output |
| 网络访问 | READ | READ | ✓ 一致 | scripts/transcribe.py calls OpenAI Whisper API only |
| 命令执行 | WRITE | WRITE | ✓ 一致 | subprocess calls for ffmpeg and pip install are declared in SKILL.md |
| 环境变量 | READ | READ | ✓ 一致 | Reads OPENAI_API_KEY from environment as documented |
2 项发现
中危 外部 URL 外部 URL
https://platform.openai.com/api-keys SKILL.md:96 中危 外部 URL 外部 URL
https://ffmpeg.org/download.html scripts/transcribe.py:96 目录结构
4 文件 · 39.6 KB · 1152 行 Python 2f · 852L
Markdown 2f · 300L
├─
▾
scripts
│ └─
transcribe.py
Python
├─
▾
transcription
│ ├─
▾
scripts
│ │ └─
transcribe.py
Python
│ └─
SKILL.md
Markdown
└─
SKILL.md
Markdown
依赖分析 2 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
openai | * | pip | 否 | Version not pinned |
pydub | * | pip | 否 | Version not pinned |
安全亮点
✓ All subprocess usage (ffmpeg, pip) is documented in SKILL.md
✓ API key is used only for Whisper API calls; not harvested or exfiltrated
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No obfuscation techniques (base64, eval, encoded commands)
✓ No persistence mechanisms (cron, startup hooks)
✓ No credential theft or data exfiltration
✓ No reverse shell or C2 communication
✓ No hidden instructions or prompt injection