Xyfcli Order Guide

Plain-language checklist before installing or running this skill: - The skill uses an external CLI named 'xyfcli' (declared requirement). The repository actually includes a full Python implementation of that CLI, but there is no automated install step — the README shows a manual install command. Don’t assume the CLI is already installed; installing the bundled code will run user-owned code on your machine. - Installing or importing the bundled CLI will create a ~/.xyfcli/config.json file (the code writes a default config if missing). That file will hold the API base URL and any authorization token you set. Only set the token if you trust the backend and know which endpoint you are targeting. - Default API base is http://127.0.0.1:8000 in the sources; if you change base_url to a remote server, the CLI will send requests (and the token) to that server. Make sure the base_url points to a trusted internal system before setting the token. - The skill’s runtime instructions and code appear focused on legitimate ordering tasks and do not request unrelated secrets, but because the skill can talk to an API and persist a token, review the included code (api_client/config/order/shop) yourself or ask an administrator to do so before installing. - If you want minimal risk: do not install the bundled CLI; instead verify you have an existing trusted 'xyfcli' binary from a vetted source, or ask the skill author/maintainer for an official installation package or signed release. Also, confirm whether the agent will be allowed to autonomously invoke the skill (default = permitted); if you’re concerned about accidental automated orders, restrict autonomous invocation until you’ve tested it in a safe environment. If you want, I can list the exact files and code locations you should inspect (e.g., where the config is created and where HTTP endpoints are called) or produce a short step-by-step safe-install checklist.