eSIMPal API Skill

This skill appears to be a legitimate integration for the eSIMPal API and sensibly limits itself to a single API key and approval gates, but there are packaging/metadata inconsistencies you should resolve before using it for real purchases: - Verify required credentials: SKILL.md requires ESIMPAL_API_KEY, but registry metadata claims no env vars. Make sure the platform will prompt you to securely provide ESIMPAL_API_KEY and will not accept a missing key. - Confirm non-autonomous behavior: SKILL.md forbids autonomous billable actions (autonomous_execution: false) and mandates explicit confirmation before POST /orders, /pay, and activation endpoints. Ensure the agent platform actually enforces this; don’t rely only on the prose in SKILL.md. - Validate the base URL and override behavior: SKILL.md allows an env override for the API base URL. Confirm you (or your deployment) control that override so requests cannot be redirected to an attacker-controlled endpoint. - Use least-privilege and test keys: Use a sandbox or restricted developer key with only orders:read/orders:write scopes for testing; never put production keys in logs or transcripts; rotate keys if exposed. - Test in a sandbox first: Perform non-billable flows in a controlled environment and verify idempotency-key handling to avoid accidental duplicate orders. If the maintainer can correct the registry metadata to list ESIMPAL_API_KEY as required and confirm platform enforcement of non-autonomous execution for billable endpoints, the inconsistencies would be resolved and risk reduced. Until then, treat the skill cautiously for any flow that can create charges or consume inventory.