PMO

The skill's behavior (and included script) expects and uses service credentials and local storage, but the registry metadata does not declare those requirements; this mismatch and a few risky design choices warrant caution.

Do not install blindly. Ask the skill author to (1) update the registry metadata to declare required env vars (e.g., GH_TOKEN, NOTION_TOKEN, FEISHU_TOKEN, TELEGRAM_BOT_TOKEN or equivalents) and the primary credential; (2) explain where config.yaml is stored, how tokens are protected (encryption, file permissions), and how long caches/logs are retained; (3) avoid using --token CLI flags in production (they can leak via process listings); and (4) provide a verifiable source/homepage and a changelog. If you must try it, run it in an isolated environment with least-privilege tokens (scoped GitHub PAT with minimal scopes) and review the memory/PMO files after use. If the author cannot justify the undeclared credential needs, treat the skill as untrusted.