Token Panel Ultimate

The skill largely matches a local usage-tracking/dashboard purpose, but there are multiple inconsistencies and small-but-meaningful red flags (hard-coded paths, missing declared env vars, CORS + local REST API, and an apparently truncated/buggy DB file) that warrant review before installing or running it.

This package mostly does what it says (local usage tracking + dashboard), but review these before installing or running: - Inspect files locally (api.py, collector.py, db.py, parsers/*). The db.py listing appears truncated/corrupted in the bundle you were shown — run a syntax check (python -m py_compile) before executing. A broken db.py will cause runtime errors. - The userscript (scripts/budget-panel-widget.user.js) contains hard-coded paths (/home/globalcaos/...) and requests file:// connectivity. If you install that userscript, update paths to point to your own home directory and understand the browser extension will attempt to read local files. Avoid installing untrusted userscripts that access local files. - FastAPI is configured with CORS allow_origins=['*']. Confirm you run the server bound to 127.0.0.1 only (the code does that by default when started via uvicorn api:app --port 8765), and do not expose the port to public networks. If you must expose it, tighten CORS and authentication. - The code will use provider credentials if present (ANTHROPIC_ADMIN_API_KEY, MANUS_API_KEY, GOOGLE_API_KEY/GEMINI_API_KEY). Only provide API keys that you intend to be used; avoid putting unrelated secrets into environment variables accessible to this process. - The README references a systemd service file that was not in the provided manifest — if you follow service installation instructions from the README, ensure the service file is legitimate and that you understand sudo is required to place systemd units in /etc. If you want to proceed safely: run the service in a sandboxed environment or container first, verify behavior, run static analysis (lint/pycompile), and update the userscript paths before use. If you are not comfortable auditing the code, treat this skill as untrusted until reviewed.