twitter-dance

Before installing or running this skill: - Don’t trust the registry metadata alone — inspect SKILL.md and the code: this skill expects APIDANCE_API_KEY, TWITTER_AUTH_TOKEN, and optionally KIMI_API_KEY even though the registry lists none. - Verify provenance: source/homepage are listed as unknown/none in the metadata; package.json points to a GitHub path — confirm the repository and maintainer identity before trusting keys. - Avoid extracting long‑lived session tokens from your primary account via browser devtools. Prefer creating a dedicated developer/app token with minimal scope or use a throwaway/test account for initial testing. - Review the code (especially src/* and scripts/*) to see how credentials are used and whether verbose/debug logging might print sensitive data to logs. If you enable verbose=2, watch for sensitive fields in logs. - Run the code in an isolated environment (throwaway account, sandbox container or VM) first. Do not place production account credentials into the skill until you confirm behaviour. - Consider rotating credentials after any test runs. If you must use the skill, grant only the minimum scopes needed and avoid long-lived tokens where possible. - If you want to proceed, ask the maintainer to update registry metadata to declare required env vars and to document token/scopes clearly; request a reproducible source URL (official repo) and a minimal set of permissions for TWITTER_AUTH_TOKEN. I have medium confidence because the code and docs align with the stated purpose, but the metadata omission and the token extraction guidance are suspicious and merit manual review before use.