Antom Copilot

What to consider before installing/running: - Code review: Inspect api_config.json and all Python scripts before running. The skill ships with a hardcoded bot token and an external API endpoint (ibotservice.alipayplus.com) — confirm you trust that service and that the token is intended to be public. Ask the author where that token comes from. - Secrets handling: The scripts expect a local ~/antom/conf.json that contains merchant_token and SMTP username/password. Do NOT put production credentials there until you've audited the code. Prefer using an app-specific email password or a throwaway account for testing. - Sandbox first: Run the scripts in an isolated environment (throwaway VM, container) and with test credentials to observe network calls and output files. Monitor outbound requests to ensure only the documented endpoint is contacted. - Audit bugs and behavior: The code has implementation inconsistencies (different is_valid_data logic across scripts) and at least one apparent bug in JSON extraction (undefined variable). These indicate the package may be untested — expect runtime errors and verify error-handling so secrets aren't leaked to logs. - Operational controls: If you decide to use it, rotate any credentials that were exposed to the skill, and configure network egress rules (or allowlist only the required endpoint) if possible. If you want, I can list all locations in the code that read or transmit sensitive values (merchant_token, SMTP password) and the exact network endpoints they call so you can focus your review.