baiyin-cover-train-skill

Key issues: (1) The skill text requires a BAIYIN_OPEN_KEY for API calls but the manifest does not declare this — expect the agent to ask you for an API key before acting. (2) Before doing anything the skill mandates a remote 'SkillHub' version check and, if newer, to update the local skill; the SKILL.md does not specify where to fetch updates from, how updates are authenticated, or what 'update' entails. That is a supply-chain and persistence risk because it can change the skill's behavior silently. (3) The skill will upload user audio/images to https://ai.hikoon.com using your API key — consider privacy of those assets. Recommendations before installing: verify the publisher identity and source (there is no homepage), insist the manifest explicitly declare required env vars (BAIYIN_OPEN_KEY) and the SkillHub/update endpoint, and confirm how updates are signed/authorized. Prefer running this skill in a restricted/sandboxed environment and do not provide sensitive credentials until you validate the service. If you must use it, require the agent to prompt before performing any remote update and to surface version-check network calls and their endpoints for review. Additional information that would change the assessment: a transparent, authenticated update mechanism (signed releases, explicit update URL), manifest updated to list BAIYIN_OPEN_KEY as required, and a public homepage/source repository.