Attio CRM

This skill largely does what it claims (Attio CRM workflows) but has a few red flags you should verify before installing: - Manifest vs files mismatch: the declared required binary is 'attio', but setup and docs install/use 'attio-mcp' and mcporter. Confirm which CLI/server the environment needs and that those binaries are trustworthy. - Missing declared env var: README and setup.sh require ATTIO_WORKSPACE_ID in addition to ATTIO_ACCESS_TOKEN. The skill metadata omits the workspace ID — assume the setup will ask for both. - Persistent plaintext credentials: setup.sh writes your ATTIO_ACCESS_TOKEN and WORKSPACE_ID into ~/.config/mcporter/servers/attio/config.json in cleartext. If you install, consider restricting file permissions, using a secrets manager, or avoiding persisting the token. - Installer actions: setup.sh runs npm install -g attio-mcp (global package install), creates directories under your home, and symlinks the skill. Run the script manually (not as root), inspect attio-mcp on npm/GitHub first, and run in a controlled environment if you have doubts. - Source/ownership: registry metadata shows an owner ID and no homepage; the README links to a GitHub repo but the package origin isn't proven by the registry entry. If you need to trust this skill, verify the attio-mcp project and the repository owner directly. If any of the above is unacceptable, do not run setup.sh; instead manually install and configure only the components you trust and keep tokens out of persistent configs where possible.