Agresource

This skill's functionality (scraping AgResource, summarizing, sentiment tracking, saving files, sending Telegram alerts) is coherent, but there are important security and privacy issues you should address before installing: - Do not accept the skill as-is. The code includes hard-coded fallback credentials (email and password) in multiple JS files. Treat those as compromised: they should be removed and rotated if they are real. - The registry metadata does not declare required environment variables even though the skill expects AGRESOURCE_EMAIL and AGRESOURCE_PASSWORD (and likely Telegram tokens). Ask the author to declare required env vars explicitly (and avoid embedding defaults in code). - Verify where Telegram alerts are implemented and whether a bot token or chat ID is required; those credentials must be declared and scoped appropriately. - The skill uses Playwright to control a browser and will save screenshots and full newsletter content to ~/clawd/memory/agresource; confirm you are comfortable with that storage (it may contain subscription-protected content). Consider restricting file permissions or changing the storage path if needed. - Inspect the full code (particularly any omitted/truncated parts) for network calls beyond agresource.com (e.g., unexpected remote endpoints) before giving it access to your credentials. - If you plan to use the skill, require the author to remove embedded credentials, update registry metadata to list required env vars, and document what external services are contacted. If the embedded credentials are yours or someone you know, rotate them immediately. If you want, I can: (1) list the exact files/lines where hard-coded credentials appear, (2) search the remaining truncated code for Telegram/network endpoints, or (3) suggest a minimal safe configuration checklist to prepare before installing.