Paddle

This skill's content appears to be a legitimate Paddle integration, but there are important inconsistencies you should resolve before installing or allowing an agent to use it autonomously: - Confirm environment variables: The docs use PADDLE_API_KEY and PADDLE_WEBHOOK_SECRET but the registry lists none. Require that the developer (or you) declare these env vars explicitly and keep keys in environment variables or a secure vault — do not store secrets in ~/paddle/memory.md. - Review local storage: The skill writes to ~/paddle/. Inspect that directory and the memory.md file format to ensure no plaintext secrets are saved. If you allow the agent to create files there, restrict their contents and file permissions. - Limit code access: The guidance to 'observe their code' could cause the agent to read unrelated source files. If you want the agent to inspect only specific repos or paths, enforce that constraint before use. - Verify webhook handling: Ensure webhook verification uses the webhook secret and timing-safe comparison as shown. Test only in sandbox until you confirm behavior. - Be cautious with CLI installs: The docs suggest installing the Paddle CLI (npm). Only run such installs from trusted sources and in controlled environments (sandbox/container) if you plan to follow that step. If you need higher assurance, ask the skill author to (1) list required env vars and binaries in the registry metadata, (2) explicitly state that memory.md will never contain secrets, and (3) narrow any instructions that read the user's codebase to specific, documented paths. If those clarifications are not available, treat the skill as suspicious and use it only in a constrained sandbox environment.