Financial Report AI

The skill's code and runtime behavior conflict with its documentation: it sends user API keys and report data to external endpoints (including an unknown validator) while the README/SKILL.md claim analysis is local and no raw keys are stored.

This skill contains conflicting claims and behavior. It says analysis is local and keys are not stored, but the code sends the provided apiKey to an external validator (https://geo-api.yk-global.com/validate) and also sends report data (prompt + rows) to external AI provider endpoints. Before installing or supplying any real API keys or sensitive financial data, consider: - Do not provide your real AI-provider API key until you confirm whether the 'apiKey' parameter is meant for subscription validation or for the AI provider. The code currently uses the same value for both. - Treat geo-api.yk-global.com as an unknown third party: ask the publisher what that endpoint is, why it needs your key, and what they store. If you cannot verify the operator, avoid supplying secrets. - Test the skill with non-sensitive dummy data and a throwaway API key to observe network behavior and which endpoints receive requests. - Prefer a version that separates 'subscription token' from 'AI provider key', or that supports an offline/local-only mode where token validation is disabled and AI calls are optional/local. - If you need this functionality, request the author to (a) make VALIDATE_ENDPOINT configurable, (b) clearly document whether apiKey is a subscription token or AI key, and (c) avoid sending raw user API keys to third-party validators or at minimum provide an option to opt out of validation. Given the credential-transmission and the contradiction between docs and code, proceed with caution; this is suspicious but could be sloppy design rather than intentionally malicious.