ts-prompt-optimizer

What to check before installing: - Do not paste high-privilege credentials blindly. Prefer to set API keys yourself in a controlled way (environment variables) and avoid typing them into interactive installers unless you inspect the code first. - The registry metadata looks broken (shows "[object Object]" for required env vars). Ask the publisher or maintainer to fix the package metadata before trusting it. - Review the config_wizard and config_manager source (especially any _set_environment_variable implementation) to see whether API keys are written to plaintext files or shell profiles (~/.bashrc, ~/.profile) and where ts-env-config.json/ts-optimizer-config.yaml are saved. If they are stored unencrypted on disk, consider using ephemeral environment variables instead. - The SKILL.md contains many emoji placeholders and a scan found unicode-control characters. Open the raw files in a hex/hex-aware editor to confirm there are no hidden control characters or obfuscated payloads. - The skill will perform network requests to test model connections; if you are concerned, run it in a sandboxed environment (VM/container) or with a network monitor to observe outbound endpoints. Expected endpoints: DeepSeek, Bailian (Aliyun console) and optionally other model providers; if you see unknown remote endpoints, do not proceed. - Because this package includes executable scripts (not just prose), consider running linting and a quick static scan (grep for suspicious functions: subprocess, os.system, requests.post to unexpected domains, writing to /etc, reading ~/.ssh, etc.) before use. If you want, I can: (a) extract and search the omitted/remaining source files for functions that persist env vars or make network calls, (b) show the _set_environment_variable implementation if present, or (c) point out exact lines that write keys to disk — provide the omitted files and I will analyze them.