Chinese Pinyin Display

The skill's code and documentation match its stated purpose (converting Chinese text to a two-line pinyin+hanzi display) and use an expected npm dependency, but a pre-scan flagged unicode control characters in SKILL.md (possible prompt-injection attempt) and the documentation contains strong agent-level directives — both warrant manual inspection before installing.

This skill appears to do what it claims: local Node scripts plus a character database convert Chinese text to two-line pinyin+hanzi output. Still, proceed cautiously: 1) Inspect SKILL.md for hidden unicode control characters (open in a hex editor or use a tool that reveals invisible chars) and remove any you didn't expect (e.g., U+202E RIGHT-TO-LEFT OVERRIDE, zero-width control chars). 2) Review char_base.json if you care about data provenance — it’s large but plausibly a character mapping file. 3) Run npm install and the scripts in an isolated/sandbox environment (or CI) and verify outputs on representative inputs. 4) Check the pinyin-pro version in package-lock.json and, if supply-chain risk is a concern, verify the package integrity hash and/or vendor the dependency. 5) Because the markdown contains strong agent-level 'must-follow' rules, be mindful that embedding those rules into an agent could force rigid behavior; ensure you only enable this skill when you want that behavior and after you’ve confirmed SKILL.md contains no hidden instructions. If you’re not comfortable inspecting hidden characters yourself, treat the presence of the unicode-control-chars finding as a blocker until a trusted reviewer confirms the file is clean.