Videoinu

This package appears to be a real Videoinu CLI implemented in Python and performs the operations described, but there are a few actionable concerns to consider before installing: - Metadata mismatch: The skill registry entry claims no required credentials, but SKILL.md and the code require VIDEOINU_ACCESS_KEY and read/write ~/.videoinu/credentials.json. Treat this as a red flag in the publisher hygiene (ask publisher to correct metadata). - Sensitive token handling: The access key is effectively an account token (JWT). Prefer exporting VIDEOINU_ACCESS_KEY in a secure environment rather than saving it with auth.py unless you trust the machine and the skill. If you do save it, auth.py sets restrictive permissions, which is good. - BASE_URL is configurable: The code respects VIDEOINU_API_BASE, which if set to a malicious host would cause credentials and data to be sent there. Do not set VIDEOINU_API_BASE to an untrusted URL. - Code review: The included scripts are readable and use only the standard library (no obfuscated or downloader logic). If you do not trust the publisher or the unknown source, consider running the scripts in an isolated environment (VM/container) or manually inspecting the files (they are provided) before use. - Verification steps: Run `python3 auth.py status` and `python3 auth.py verify` (the latter will call the API) to confirm expected behavior. If you want stronger guarantees, ask the publisher to: (1) publish a homepage/source link, (2) correct the registry metadata to declare VIDEOINU_ACCESS_KEY as the primary credential, and (3) sign/release the package from a known source. Given the metadata omission and the sensitivity of the access token, I rate this as suspicious (medium confidence) rather than clearly benign. If you trust the skill's origin and videoinu.com, the code appears consistent with its stated purpose.