Resource Hunter

The skill's code and instructions generally match its stated purpose (search public indexes and community sources), but scanner flags in SKILL.md and several bundled JS endpoints raise caution and deserve manual review before installation.

What to consider before installing: - This skill appears to do what it says: it runs included scripts to search public indexes, torrent sites, and Chinese 'pan' (cloud storage) providers. That requires outbound network access to many third-party domains — expected but privacy-relevant. - The SKILL.md triggered prompt-injection detections (base64 and unicode control characters). Open the raw SKILL.md and search for any encoded blocks or hidden control characters; remove or reject the skill if you find unexpected embedded payloads or obfuscated instructions. - Inspect the bundled JS (e.g., dalipan/pansearch bundles) for hard-coded endpoints (res.hexiaotu.com and others). Confirm those domains are legitimate and related to the connector functionality; if they are unknown to you, do not run the skill in a production environment until vetted. - The skill does not request environment credentials, so avoid supplying any API keys or tokens. Some connectors in the code reference localStorage tokens — those are client-side artifacts and not required by the skill metadata. - Run the skill in an isolated environment (sandbox, VM, or constrained network) first. Monitor outbound connections and review logs to ensure it only queries expected public sources. - Be aware of legal risk: the skill targets public links to potentially copyrighted material. Ensure your use complies with law and policy. If you are not comfortable auditing the SKILL.md and the bundled code (especially the JS bundles that contact external APIs), treat this package cautiously or ask the publisher for provenance and a canonical upstream repository to verify integrity.