Bp Prototype

The skill's purpose (generate BP templates from GitHub + a BP system API) is coherent, but the runtime instructions reference a live BP API key and environment variables that are not declared in the metadata — an inconsistency that could lead to unexpected requests for secrets or network access.

What to consider before installing: - The skill legitimately fetches a BP specification from a GitHub raw URL and is designed to call your BP system API to pull live Goals/Results/Actions. That requires network access and a BP API credential (BP_APP_KEY), but the skill's metadata does not declare any required environment variables or primary credential — this mismatch is the main red flag. - If you plan to use real-time BP data, confirm where the BP API is hosted, how authentication works, and whether the skill will store the BP_APP_KEY locally. Prefer giving a scoped, read-only API key. Ask the developer to explicitly declare required env vars (e.g., BP_APP_KEY) and document exactly where and how they're used. - The included script (scripts/generate.py) will fetch the GitHub spec and write files into versions/ in the skill directory. Review and run the script in a sandbox first to verify behavior. The script also respects HTTP_PROXY/HTTPS_PROXY env vars — ensure your proxy settings are intentional. - If you do not want the skill to access your live BP system, do not provide BP_APP_KEY and instead use the skill in 'query mode' with existing versions/ files. Alternatively, run the generator locally with controlled inputs. - Ask the author to (1) add BP_APP_KEY and any other required env vars to the skill metadata, (2) explain whether any secrets are persisted, and (3) provide a clear privacy/usage statement for the BP API data before granting access. - If uncertain, classify this as untrusted until those questions are answered; do not paste production credentials into prompts.