Taobao Advisor

Key things to consider before installing or running: - Provenance: verify the skill author/owner (ownerId mismatch in _meta.json vs registry) before trusting it with secrets or production use. - Do not place any sensitive credentials in a .env file in the skill directory until you audit the code. The script calls load_dotenv() and would read any env vars present, even though current code does not use external APIs. - The bundle is currently buggy: the main script contains syntax/argparse issues (non-ASCII/fullwidth commas and unusual option names) that will likely cause the CLI to crash; treat it as not production-ready and review/fix code before use. - Run in a sandboxed environment (isolated VM or container) and inspect the code yourself (or have a developer review it). Check for hidden network calls or added code that could use 'requests' to exfiltrate data. - If you intend to use Taobao API keys for optional features, only provide minimal read-only credentials, store them securely, and confirm the skill actually needs them. Prefer creating a limited test account for this skill. - Suggested remediation before trusting: fix the CLI syntax errors, remove unnecessary dependency 'requests' if not used, add an explicit list of expected environment variables if API calls are supported, and correct the metadata/packaging inconsistencies. Confidence is medium because the code is straightforward and presently local-only, but the provenance/packaging mismatches and the presence of dotenv + unused networking deps introduce nontrivial risk if the package is modified or the missing files are added later.