Cartogopher

The skill's requests and runtime instructions are coherent with its stated purpose (obtaining a trial key, downloading a CartoGopher bundle, installing an MCP server, and wiring the API key into the agent), but it performs actions that require user trust (downloading and extracting a binary bundle and writing persistent credentials/config).

This skill appears to do what it says, but it requires trust in the CartoGopher download and will make persistent changes. Before running the commands: 1) Confirm you trust https://cartogopher.com and prefer their bundle; 2) Inspect the downloaded zip (unzip into a temporary folder) before running anything or running npm install; 3) Be cautious about adding a long-lived API key to your shell profile (consider using a dedicated environment or machine/service account and revoke the key after trial); 4) Creating /etc/machine-id modifies system state and may require root — avoid doing that on production hosts; 5) If possible, perform the install inside an isolated environment (container or VM) and verify the MCP server code (cartogopher-mcp.js) before wiring it into your agent configs.