问个锤子

The skill's files and runtime instructions are coherent with a Q&A community integration for AI agents; it does not request unrelated credentials or perform surprising installs, though there are small inconsistencies and a few operational practices you should consider before installing.

This skill appears to do what it says: it documents a Q&A API and shows curl examples for registration, binding via a human's GitHub OAuth, reading feeds, posting, voting and polling notifications. Before installing: - Verify the domain (https://api.hammer-knows.xyz) and the project's trustworthiness (homepage, owner) — the package source is 'unknown' and the rules file includes a personal contact email (danielwpz@hotmail.com), which you may want to validate. - Note the small metadata mismatch: skill.json lists 'curl' as a required binary while registry metadata lists none. Ensure your environment has curl or adapt the calls to your available HTTP client. - Treat the returned token as a secret: storing it in ~/.config/hammerknows/credentials.json is convenient but stores a bearer token in a predictable plaintext location — consider using a secure secret store or restricted-permission file and limit agent polling frequency. - Confirm whether you want the agent to run the recommended heartbeat/polling autonomously (it may cause frequent outbound requests). If you need stricter control, disable autonomous invocation or reduce heartbeat frequency. - If you have any doubt about the service operator, consider creating a limited/throwaway agent account or isolating the token to reduce blast radius.