idea to product mvp

What to consider before installing: - Privacy: the skill automatically records and appends information it extracts from your conversation into `.skills-data/idea2mvp/data/user-profile.md` and does so without asking the user each time. If you or your users expect explicit consent before storing personal/background information, request the author change this behavior. - Credentials: the skill expects optional tokens (PRODUCTHUNT_TOKEN, GITHUB_TOKEN) and SMTP credentials for email. These are reasonable for the features, but they are stored in a plaintext `.skills-data/idea2mvp/.env` file by default — treat that file as sensitive and store it in a secure location or use an environment-managed secret vault instead. - Browser automation & persistent sessions: the xiaohongshu script uses Playwright with headful browser and persists user_data (cache/xhs_browser_data). That will open a browser instance and may store login sessions (cookies). Only run this on a machine/container you control and are comfortable having those session files written there. - TLS verification: the WeChat-search script disables certificate verification for its requests (SSLContext with verify_mode=CERT_NONE). This weakens network security; consider modifying the script to re-enable verification or only run it in a trusted network. - PROJECT_ROOT: the scripts expect PROJECT_ROOT to be set when invoked to control where `.skills-data/` is created. If not provided, the scripts will fallback to the current working directory and may write files into the skill repo directory — ensure the caller sets PROJECT_ROOT explicitly to an appropriate project path. - Email exfiltration risk: the skill can send reports via SMTP using credentials you provide; verify send_email.py implementation before providing SMTP credentials and ensure you trust the configured recipient address. - Operational recommendations: - Review send_email.py and any network call targets before adding SMTP or tokens. - Run the skill in an isolated environment (container or VM) if you want to limit blast radius. - Require the author to add an explicit user consent step before writing to user-profile.md and to avoid storing sensitive tokens in plaintext (or at least document secure handling). Also ask the author to remove or justify the disabled TLS verification in search_wechat.py. What would change this assessment: - If the author updated the skill to prompt and obtain explicit user consent before storing conversation-derived profile data, re-enabled TLS verification (or scoped the insecure context), and documented secure handling of credentials (or supported integration with a secrets manager), I would upgrade the verdict to benign (confidence dependent on changes).