MoltThreats

Things to check before installing: 1) Metadata mismatches: Ask the publisher to explain why registry metadata lists no required env vars and model-invocation=false while the SKILL.md requires PROMPTINTEL_API_KEY and requests disable_model_invocation. Resolve which is authoritative. 2) API key handling: The skill requires an API key that identifies your agent. Verify the provider's domain (api.promptintel.novahunting.ai) is correct and trustworthy. Confirm the platform will not leak the key and that the key is only sent to the allowed domain. 3) Human consent & enforcement: SKILL.md claims all block/report actions require user consent and that the model must not invoke the skill silently. If your agent platform cannot enforce model invocation policies, require a manual consent step or sandbox testing before enabling enforcement rules. 4) Impact on agent behavior: The SHIELD.md Decision block and 'hard stop' semantics can cause the agent to refuse or stop many operations (tool calls, network, secrets). Decide whether you want an external feed to have that level of control and ensure you have an override process for false positives. 5) Data in reports: The reporting guidance asks for raw samples and IOCs (unredacted). Do not include secrets, private keys, or credentials in reports. Establish a review process for any data sent to the feed. 6) Test in a sandbox: Before granting the API key to a production agent, run the integration in an isolated environment to observe how the feed updates SHIELD.md and how blocking/require_approval rules are applied. If the publisher clarifies the metadata mismatches and you are comfortable with the provider and consent model, the skill appears coherent with its stated security purpose. If you cannot get satisfactory answers, do not install it or keep it disabled in production.