One API Calling GenAI

What to consider before installing/using: - Metadata mismatch: the registry lists no required env vars, but SKILL.md expects many sensitive provider keys and config files — ask for the source repo or homepage to verify origin. - Inspect the package before pip installing: the docs recommend `pip install genai-calling`; verify the PyPI project, source repository, and readable code before executing third-party code. - Protect credentials: store only the minimal provider keys you need. Prefer project-scoped keys and avoid placing long-lived/high-privilege keys in shared ~/.genai-calling/.env. - Beware of private-URL downloads: enabling GENAI_CALLING_ALLOW_PRIVATE_URLS or allowing arbitrary URL downloads can let the tool access internal network addresses (SSRF-like risk). Disable unless you understand the consequences. - MCP server caution: starting the MCP server can expose local services or accept remote requests if misconfigured (GENAI_CALLING_MCP_PUBLIC_BASE_URL, bearer tokens). Do not enable public exposure without reviewing config and firewall rules. - Use isolation: test the tool in an isolated environment (VM/container) and with low-privilege credentials before enabling it in production. - Source provenance: ask the publisher for a homepage/source repo and for the PyPI package name and checksum. If they cannot provide verifiable source, treat the package as higher risk. If you can provide the package name on PyPI or a source repository link, I can re-evaluate with higher confidence. If you need a checklist for safe inspection steps (pip metadata, file listing, quick code scan), tell me which environment you'll run in and I can provide one.