Smart Fetch

The skill's code, instructions, and requested environment are consistent with a web-fetch/extraction utility; nothing asks for unrelated credentials or installs arbitrary remote code.

This skill appears to do exactly what it says: fetch and extract web pages, prefer markdown when available, apply limits, and cache results. Before installing or enabling it, consider: (1) It will fetch arbitrary URLs — if the agent has network access to internal services, that could be used to reach internal endpoints (SSRF-like risk). Use SMART_FETCH_DOMAIN_ALLOWLIST or SMART_FETCH_DOMAIN_BLOCKLIST to restrict targets. (2) Fetched content is cached on disk (default ~/.cache/smart-fetch); if content is sensitive, point --cache-dir to an appropriate location or disable caching (cache-ttl <= 0). (3) It requires Node 18+ and the listed npm dependencies to run; review and vet dependencies if you will run the code in a security-sensitive environment. (4) The code treats fetched content as untrusted (contains checks and warnings), but ensure the agent/platform enforces 'do not execute' on fetched text. These mitigations address the main operational risks; otherwise the package is internally coherent and matches its stated purpose.