Agent Skills Setup

This package appears to be a legitimate multi‑IDE skill migration/setup tool, but it performs high‑impact actions (installing runtimes, downloading/installing dependencies, copying and overwriting many IDE config files, and injecting per‑skill env/apiKey values) that are not fully declared in the registry metadata. Before installing or running any scripts: - Inspect the scripts in scripts/*.sh for any network operations (curl/wget, wget, git clone, npm/pnpm/yarn, brew, apt-get) and note the exact remote URLs and commands they run. Pay special attention to any 'download' installers and archive extraction. - Search scripts for writes to files like ~/.openclaw/openclaw.json, ~/.copilot-skills/, ~/.vscode/settings.json, ~/.aws/, ~/.trae/, and for any lines that insert keys or environment values. - Run the recommended dry-run mode (--dry-run) first and review the generated migration-report.txt or any proposed changes before applying. - Make full backups of any IDE configs and your home-level skill directories before a real migration. Use version control (commit) or copy directories to a safe backup location. - If you have secrets or API keys in your existing skill configs, do not run any migration that automatically writes apiKey fields without reviewing where those values will be stored and who/what can read them. - Prefer running the scripts in a controlled environment (isolated VM or container) first to observe network activity, or run the commands manually step-by-step instead of allowing an automated script to run unreviewed. - If you want stronger assurance, ask the publisher for a canonical source repo or release tarball (GitHub/ClawHub) and verify signatures/versioning; note that this registry entry has no homepage/source URL listed and the owner is unknown. If you share the contents of any of the scripts (especially auto-configure-openclaw-skills.sh and sync-global-skills.sh), I can highlight exact commands and network endpoints to check and point out risky lines to audit.