Social Media Automation

This skill appears to implement the promised social-media automation features, but several red flags mean you should be cautious: (1) The listing metadata ownerId differs from the _meta.json ownerId — verify the publisher/registry identity before trusting code. (2) The skill requires sensitive secrets (platform access tokens, cookies, Feishu webhook) even though it declares none; do not run it with real credentials until you confirm where/how secrets are stored. (3) The doc suggests storing an encryption key and encrypted credentials in .credentials/ and the example uses a local Fernet key file — storing the encryption key alongside encrypted data or in the repository is insecure. Prefer a dedicated secret manager or OS-level protected storage. (4) Browser automation can capture login sessions (including MFA cookies); review code that loads cookies and make sure it does not exfiltrate them. (5) There are contradictory recommendations (gpg/pass vs Fernet) — ask the author for a single, secure secret-handling plan and for explicit env var names for any webhooks/API tokens. Recommended next steps: verify the package owner, get the full source code (not only SKILL.md) and an explanation of secret storage and Feishu endpoint usage, and run the code in an isolated environment with least-privilege test credentials. If you cannot validate the author or confirm safe secret handling, do not install or run this skill with production credentials.