miaoying-cli-skill

What to check before installing: - Source and provenance: confirm the skill's origin (repository/homepage). The package.json and SKILL.md reference a GitHub repo, but the registry entry lacked key details — verify the real repo and commit history. - API key handling: the skill requires MIAOYING_API_KEY. Create a key with minimal permissions and prefer a short-lived/revocable key. Do NOT paste long-term keys into chat. If the skill stores the key in ~/.miaoying/config.json, ensure that file is in .gitignore and that you are comfortable with a local credential file. - Install safely: run npm ci --ignore-scripts in an isolated environment (container/VM) if you want to inspect behavior first. SKILL.md already recommends --ignore-scripts which helps mitigate lifecycle-script risks. - Network endpoints: the CLI calls miaoying.hui51.cn and www.aiphoto8.cn and downloads assets from cdn.hui51.cn / hui51.oss-cn-beijing.aliyuncs.com. If any of these hosts are unexpected for you, verify with the official service/maintainers. - Review code you will run: the repository is included in the package — inspect src/ for any unexpected network calls, credential exfiltration, or filesystem access beyond the declared paths. Pay attention to download code and any allowlists (there are domain allowlists, but some entries and matching logic are slightly odd). - Run in sandbox: if you lack time to audit, run the CLI in a sandboxed environment (container or dedicated VM) with a limited test API key. Primary reason for 'suspicious': the skill is functionally coherent, but the registry metadata omission (no env vars / no primary credential / no install spec) contradicts the SKILL.md and source code which clearly require Node and an MIAOYING_API_KEY; this mismatch should be resolved before trusting the package.