deerflow-install-master

This skill mostly matches an installer for DeerFlow, but there are important inconsistencies and risk points to consider before running anything: 1) Metadata omission — the skill file asks you to set API keys (OpenRouter, Tavily, InfoQuest) and DEER_FLOW_CONFIG_PATH but the registry metadata lists none; assume the runtime will use those keys. 2) Secrets scope — only supply API keys with minimal privileges and separate keys for test/sandbox environments; never reuse high-privilege or long-lived credentials. 3) Code modifications — the instructions perform repo-wide sed edits and manual source edits; review those changes locally or in a disposable environment before applying to production code. 4) Powerful tools enabled — the recommended tool config enables read_file, write_file and bash tools; enabling these gives agents the ability to read/write files and execute commands. Only enable them if you trust the running services and have appropriate isolation. 5) Run in isolation first — prefer Docker mode (recommended by the guide) or a dedicated VM/container, snapshot or backup the workspace, and test the start_all.sh flow manually. 6) Verify upstream sources — confirm the GitHub repo and referenced packages are the intended upstream (watch for forked/malicious repos). 7) If you want safer adoption, ask the skill author to update metadata to declare required env vars and to provide an explicit audit checklist of the exact files changed by patches. Following these steps will reduce the chance of inadvertent credential exposure or destructive changes.