GPCA

The skill's functionality (card/wallet management + automated shopping) is plausible, but the runtime instructions ask the agent to auto-download and execute code, modify local tool registration, and access the user's email inbox via browser snapshots — behaviors that are sensitive and not fully justified or declared.

Before installing or enabling this skill, consider the following: (1) The agent will be instructed to automatically git-clone and run npm install/build for a remote repo — this executes third-party code on your machine. Verify the gpca-mcp-server repository contents and maintainer before proceeding, or run the install yourself in an isolated environment (VM/container). (2) The skill will open your email inbox in a browser and take snapshots to extract verification codes; snapshots capture your entire inbox page and could reveal unrelated private data. Prefer manual email verification (do not allow auto-read), or only allow auto-read in a tightly controlled browser profile. (3) The skill registers a command with mcporter and writes files under ~/.gpca — review these files and mcporter configuration after install and only allow if you trust mcporter and the skill author. (4) Require the agent to ask for explicit permission before performing the automatic install or any account/password entry; do not enable automatic auto-login defaults. (5) If you decide to proceed, run the install steps yourself or review the remote repository code, and consider using an isolated environment and a throwaway email/account for testing. If you are not comfortable auditing the remote code or exposing your inbox, treat this skill as risky.