A2a Match

The skill mostly implements a matching service as described, but it also instructs the agent to write several local scripts and includes files that contact a hard-coded external IP and even a remote deployment script with plaintext SSH credentials — these elements are disproportionate or unexpected and deserve careful review before installing or enabling cloud features.

What to consider before installing and enabling this skill: - Review the code first: the package contains scripts that will be written to your filesystem and (if run) will contact an external IP (http://81.70.250.9:3000). Inspect cloud_sync.py and heartbeat_cloud.py to see exactly what data is uploaded when cloud sync is enabled. - Do NOT enable cloud sync or run any of the shipped daemons unless you trust the operator of the remote endpoint. By default cloud.enabled is false, which is safer — keep it off unless you deliberately configure a trusted server_url and api_key. - The repository includes deploy_server.py with plaintext SSH credentials. That file should not be executed on your machine. Treat it as a development artifact and remove it from any environment where it could run. - If you need the skill but want to minimize risk: install only the local matching scripts, remove or sanitize any files referencing 81.70.250.9, and remove deploy_server.py. Consider running the skill in an isolated environment/container and monitor outbound network calls. - Ask the publisher for provenance and hosting: the 'Source' is unknown and homepage is missing. Prefer skills from known maintainers and canonical domains; request confirmation of the cloud endpoint operator and an explanation for the included deploy scripts. - If you are not comfortable auditing the code yourself, avoid installing or keep cloud features disabled and run only in local mode.