ResearchVault

The skill's code, runtime instructions, and requested environment variables are coherent with a local-first research orchestration tool; nothing in the bundle requests unrelated credentials or a hidden installer, though it runs a local portal that executes the CLI and writes local state.

This repository and its SKILL.md are internally coherent with a local-first research vault. Before installing: 1) Review start_portal.sh and run_portal.py to confirm they only bind to localhost and that the portal token handling meets your requirements. 2) Protect the generated .portal_auth (token) file (chmod 600) and do not expose the portal to untrusted networks; the portal can run vault CLI commands when authenticated. 3) Set provider API keys (BRAVE_API_KEY, SERPER_API_KEY, SEARXNG_BASE_URL) only in the backend process environment as documented—the portal intentionally disallows secret writes. 4) Run inside a virtualenv and inspect scripts/services/ if you plan to run MCP/watchdog: they must be started manually. 5) If you need higher assurance, review vault_exec.run_vault and scuttle implementation to validate subprocess environment handling and SSRF protections. Installing and running this skill is reasonable if you accept local state persistence and protect the portal token.