ℹ
Purpose & Capability
The skill claims to combine I Ching rules with AI interpretation; the code implements deterministic hexagram generation and then calls an external AI service for interpretation — that is consistent with the stated purpose. However, the code requires an API key (MINIMAX_KEY) and a MINIMAX_URL endpoint not mentioned in the SKILL.md or the registry metadata, creating an inconsistency between claimed requirements and actual dependencies.
!
Instruction Scope
SKILL.md describes how to produce hexagrams and AI-driven interpretations but does not disclose that the runtime will POST the user's question and a prompt to an external API. The code sends the full constructed prompt (including the user's question) to https://api.sfkey.cn/v1/chat/completions. User-provided questions / context will therefore be transmitted to that third-party host — this data flow is not documented in the instructions.
✓
Install Mechanism
There is no install spec (instruction-only install) and only Python source files are included. Nothing in the manifest indicates downloads from unknown URLs or archive extraction. This is the lower-risk install model.
!
Credentials
The code reads MINIMAX_KEY from the environment but the skill metadata lists no required env vars or primary credential. Worse, the code contains a hard-coded default API key ('sk-y9avgZs...') embedded in the source. That default key looks like a bearer-style key and may be sensitive or abused; embedding such a key is inappropriate and elevates risk because user data could be routed via an author-controlled credential without disclosure.
ℹ
Persistence & Privilege
The skill is not always-included and uses the platform defaults for invocation. Autonomous invocation is allowed (platform default). While that alone is normal, combined with the undocumented external API call and embedded key it increases the blast radius (the agent could autonomously send user questions to the external endpoint).
What to consider before installing
Before installing, consider these points:
- The code will transmit the user's question and a generated prompt to https://api.sfkey.cn using an API key embedded in the source. That network call and the key are not documented in SKILL.md or the skill metadata. If you care about privacy, do not install until this is resolved.
- Ask the maintainer to remove the hard-coded API key, declare MINIMAX_KEY as a required environment variable in the metadata, and document the external endpoint and its operator/terms. Prefer providing your own API key rather than relying on a default baked into the package.
- If you cannot verify the endpoint or the author's trustworthiness, avoid giving this skill permission to run autonomously or disable AI usage (use_ai=False) so interpretation runs locally or not at all.
- If you proceed, review network traffic from the agent to confirm where data is sent, and consider running the skill in an environment without sensitive context. Treat the embedded key as potentially compromised and assume user questions sent to that endpoint may be logged or used by third parties.
