video-content-watcher

Do not install this skill without addressing the mismatches. Specific concerns: - Registry vs runtime mismatch: The registry declares no required env vars or binaries, but SKILL.md requires MINIMAX_API_KEY (required) and optionally WHISPER_API_KEY plus system tools (yt-dlp, ffmpeg). Expect to supply LLM/Whisper credentials and install ffmpeg/yt-dlp or the skill will fail. - Hardcoded dev paths / external code execution: The small bundled scripts purposely insert an absolute/workspace-relative path into sys.path and import video_reader_mcp from workspace-code-dev/video-reader/src — that 'src' is NOT bundled. At runtime the skill will execute whatever Python module is found at that path on the host. This can lead to arbitrary code execution if the path points to untrusted code. - Missing implementation: The real implementation appears to live outside the package. Ask the author for the full 'src' or a packaged module. Without it, the behavior depends entirely on host files and is unsafe to run on sensitive systems. - Suggested mitigation before use: require the publisher to (a) include the src implementation in the skill bundle or provide a canonical, verified install path; (b) remove hardcoded /home/ykl paths and use relative imports or configurable paths; (c) update registry metadata to declare required env vars and needed system binaries; (d) review the full VideoReaderMCP code for network endpoints, credential use, and data exfiltration; (e) run the skill in a sandboxed environment and avoid providing real API keys until code is audited. - What would change my assessment: If the publisher supplies the missing src files within the package (so no host-path imports are needed), removes hardcoded paths, and updates the registry to accurately list required env vars/binaries, this would make the package much more coherent and lower-risk.