YouTube Content Manager Pro

Do not install or run this skill without further review. Specific concerns: - The code contains hardcoded API keys (payment provider and an AI provider). That means the author’s external accounts will receive your prompts and handle billing; those keys could be abused. - The SKILL.md claims 'local data storage' and an OpenAI API requirement, but the code sends data to api.siliconflow.cn and uses an embedded key — this is misleading and could leak content/metadata. - Pricing and payment flow are inconsistent (SKILL.md lists $0.005 per use; code uses SkillPay endpoints and a different amount in places). Embedded payment keys could allow unexpected charges or tracking. What you can do before proceeding: 1) Ask the publisher to remove hardcoded secrets and require runtime environment variables (and to document exactly which external endpoints will receive user data). Verify the owner identity of those endpoints. 2) Request an explanation for the OpenAI vs SiliconFlow discrepancy and for the pricing inconsistency. 3) If you must test, run the app in an isolated sandbox with network egress blocked to prevent data leaving your environment, and inspect network calls. 4) Prefer a version where API keys are provided by you at runtime, with clear privacy docs explaining what data is sent to external services and who controls the accounts that will be billed. If the publisher cannot satisfactorily explain and fix these issues, treat the skill as untrusted: it can exfiltrate content and route payments through the publisher’s accounts.