Tax Invoice Guard

The skill's code and SKILL.md expect multiple external integrations (miaoda CLI, Feishu, State Tax API) and an external verification service (yk-global), but the package metadata declares no required binaries or environment variables — several capability/credential mismatches and unexplained network calls warrant caution.

This package appears to implement the advertised features, but several mismatches and external-network behaviors make it suspicious rather than clean. Before installing or running: 1) Ask the author to list exactly which environment variables / secrets are required (Feishu app_token/app_secret, yk-global API key, any tax-authority credentials) and update registry metadata. 2) Verify the legitimacy of https://api.yk-global.com and the 124.220.60.10 server referenced in the changelog — confirm who receives API/key verification requests and what data is sent. 3) Inspect the code paths that call verify_api_key() and any tax-verification functions to see which invoice fields or raw images are transmitted; demand minimization (only send necessary fields) and TLS verification. 4) Require explicit documentation on data retention and on whether raw invoice images are ever uploaded off-host or logged. 5) Ensure external binaries (miaoda-studio-cli) are available from trusted sources or replace with vetted OCR libraries; confirm the skill will not invoke arbitrary shell commands. 6) If you must use this in production with sensitive invoices, prefer running the scripts in an isolated, auditable environment (air-gapped or corporate network) and do not provide enterprise tax credentials until you confirm endpoints and data flows. If the author cannot clarify these items and update the metadata, treat the skill as untrusted.