Personal Client Management System & Finance System

The skill's code and instructions match its description: it communicates with ourproject.app using a user-provided API key, has no hidden endpoints or unusual installs, and only persists a local .config.json file with the API key and some user info.

This skill appears to do what it says: it uses a user-provided API key to call ourproject.app endpoints. Before installing, verify you trust the source (there's no homepage or publisher site), and take these precautions: (1) do not paste sensitive keys you don't intend to store; the setup saves the key to .config.json — consider adding that file to .gitignore or securing it with proper permissions; (2) confirm the API URL is the official ourproject.app endpoint (the setup allows changing it) so you don't accidentally point the skill at an attacker-controlled host; (3) note the setup enforces keys starting with "op_"—ensure you're entering the correct service key (do not reuse unrelated service keys such as your OpenAI key unless explicitly intended). If you want stronger guarantees, request the skill's publisher and a homepage or review their upstream repository for provenance.