企雀医美系统-AI助手

This skill appears to be a legitimate QiQue planner, but there are a few red flags you should consider before installing or using it: - The skill expects you to provide and lets it persist sensitive credentials (app_id and app_secret). Only provide these if you trust the skill's source and you understand where the credentials will be stored and who can access them. - The package includes a prefilled distribution_app_secret in config/qique.config.json. That is a sensitive secret embedded in the bundle; do not assume it belongs to you. Ask the publisher why it's included and consider removing or replacing it with empty placeholders before use. - The registry metadata did not declare any required config paths, but SKILL.md requires reading/writing config/qique.config.json — this mismatch is sloppy and merits caution. - The skill promises not to perform remote calls itself (router-only) and to require explicit user confirmation for write operations; still, verify that the agent/platform enforces 'do not auto-execute' and that any actual API calls (if/when performed) go to the expected QiQue endpoints (the method docs reference pre-e.qique.cn). Actions you can take: - Ask the skill publisher for provenance and whether the included distribution secret is intentional. - If you must test, use throwaway QiQue credentials or a test account and remove embedded secrets from the config file. - Confirm how and where the platform persists secrets (encryption, removal, access controls) and whether you can revoke stored credentials later. If you can get answers to the above and confirm secure storage, the skill's behavior would be reasonable for its stated purpose; otherwise treat it as untrusted and avoid providing production credentials.