Ai Shifu Course Creator

This skill appears to implement the course-authoring + deployment workflow it advertises, but there are a few red flags to check before installing or running it: - Inspect scripts/shifu-cli.py (the included CLI) before execution. Verify which network endpoints it talks to, what it sends, and whether it logs or transmits course or user data elsewhere. Do not run it until you confirm endpoints are only the expected AI‑Shifu hosts (app.ai-shifu.cn / app.ai-shifu.com) or other documented URLs. - The docs reference storing a login token in {skillDir}/.env and using SHIFU_TOKEN / SHIFU_BASE_URL env vars, yet the registry declares no required env vars — treat credential handling as optional but sensitive. Confirm where the token is stored, file permissions, and whether it is encrypted or accessible to other processes/users. - The login flow asks for phone number and SMS verification codes (PII and OTP). Only provide those to the CLI if you trust the code after review. For non-China regions the docs advise copying a browser token — prefer that approach if you can inspect and control the token value. - Because the package includes executable Python code, run it in an isolated environment (container or VM) when you first test; monitor network traffic and filesystem changes (especially writes to {skillDir}/.env, and any unexpected uploads). - If you cannot or will not review shifu-cli.py, do not provide SMS codes or tokens. Consider asking the skill author for an audit summary or a signed release from a trusted source. If you want, provide the full contents of scripts/shifu-cli.py and I can analyze it for network endpoints, credential handling, and any suspicious code patterns.