Crewai Team

This package appears to implement a legitimate CrewAI multi-agent PRD generator, but exercise caution before running it. Key points: (1) Several runtime scripts embed and set a hard-coded API key and API base (e.g., run_discussion.py and others set os.environ['OPENAI_API_KEY'] = "sk-..." and OPENAI_API_BASE to a DashScope URL). Embedded secrets are a serious red flag — they may be stale, leaked, or intentionally included to route usage through someone else's account. (2) The SKILL.md/SETUP.md tell you to configure your own .env/DASHSCOPE_API_KEY, yet the registry metadata lists no env vars — this inconsistency suggests sloppy or unsafe packaging. (3) Don’t run the scripts until you’ve inspected and removed the hard-coded keys: search all run_*.py and team_config files for os.environ assignments and replace them with secure code that reads from your .env or process environment. (4) If the embedded key is valid, treat it as compromised: do not rely on it, and rotate any of your own keys if you ran these scripts with them present. (5) Prefer running in an isolated environment (container or VM), review network calls (especially to the configured OPENAI_API_BASE / dashscope endpoint), and review send-to-external integrations (Feishu/webhook code) before use. If you want to proceed safely: a) remove/neutralize the hard-coded key lines, b) ensure the code reads API credentials only from your explicit .env or process env, c) run tests offline or with a known test key, and d) consider auditing the code for any unexpected outbound network calls.