amazon-sorftime-research-market-skill

Key things to check before installing/using this skill: - Credentials: The code requires a Sorftime API key (it looks in a .mcp.json file or the environment variable SORFTIME_API_KEY). The skill metadata does NOT declare this — confirm you are comfortable providing the API key and prefer using an env var rather than a file stored in your repo. - Endpoint trust: The scripts call https://mcp.sorftime.com. Only provide an API key if you trust Sorftime and accept that data (queries, raw results) will be sent there. - File writes: Running the scripts will create a 'product-research-reports' folder under the project root (the scripts compute the project root by walking up several directory levels). Run the scripts from an appropriate working directory (or inspect/modify create_output_dir) if you do not want reports written to your home or repo root. - Review local config: Inspect any existing .mcp.json before running; it may contain embedded keys or URLs. Prefer setting SORFTIME_API_KEY in your environment instead of storing secrets in repo files. - Code review: If you have limited trust in the package source (homepage is none, source unknown), review scripts/api_client.py and run_analysis.py for behavior you are comfortable with — the code uses subprocess.run to call curl (passed as a list, so not shell-invocation) to communicate with Sorftime; this is expected but verify payloads if you need strict auditing. - Run in isolation: Consider executing the scripts in an isolated environment (container or throwaway VM) the first time to confirm behavior and file locations. If you want, I can: (a) point out the exact lines where the API key is read and where outputs are written, (b) suggest minimal edits to make required env vars explicit in SKILL.md/metadata, or (c) produce a short checklist to safely run the first data-collection run.