Fanvue

What to check before installing/using this skill: - Provenance: the skill's source/homepage is missing and the owner id is unfamiliar. Prefer skills with a documented homepage or known publisher. Ask the publisher for a repository or contact info. - Metadata mismatch: the registry lists no required env vars, but SKILL.md and examples require FANVUE_CLIENT_ID, FANVUE_CLIENT_SECRET, and FANVUE_REDIRECT_URI. Confirm with the publisher why the manifest omits these and ensure the platform will prompt you to supply them securely. - Least privilege: only grant the OAuth scopes the agent truly needs. Scopes like offline_access (refresh tokens), read:subscribers, read:insights and write:* give broad access (read earnings/subscribers and create posts/messages). If you don't want the agent to send messages or post automatically, omit write scopes. - Credential handling: the examples use client_secret and exchange/refresh flows. Ensure the environment storing these secrets is secure and that tokens/refresh tokens are not logged or exported. Prefer confidential client flows when possible. - Autonomous actions: with valid tokens the skill can act on your account (post content, message subscribers, view earnings). If you will allow autonomous invocation, be comfortable that those actions are acceptable. Otherwise disable autonomous invocation or limit scopes. - Verify redirect/callback: when creating the OAuth app, set a redirect URI you control and verify the auth flow before handing over tokens. If you cannot verify the publisher or correct the metadata mismatch, treat the skill as untrusted and do not provide your Fanvue client secret or long-lived tokens.