N2SQL Pro

The package mostly matches its NL2SQL purpose, but it claims 'fully offline' while the code makes remote token-validation and (optionally) OpenAI calls — and the API key handling is ambiguous in ways that could leak secrets if a user passes the wrong key.

This package implements NL→SQL for CSV/Excel and otherwise appears coherent, but there are two red flags you should consider before installing or providing secrets: 1) 'Offline' claim vs network calls: config.py POSTs the provided api_key to https://geo-api.yk-global.com/validate to check license tiers. If you pass any key to the service, that key will be transmitted to that endpoint. 2) Ambiguous API key usage: The code treats the single api_key parameter both as a product license key (SQL‑PRO etc.) and as the OpenAI API key for GPT-4. If you accidentally pass your real OpenAI API key as the --api-key/parameter, the library will both try to use it with OpenAI and also send it to the external validation server — risking secret exposure. Recommendations: - Do not pass secrets you care about (e.g., your OpenAI sk- key) as the CLI --api-key unless you have reviewed the source and are sure the key is intended for the service. Prefer not to provide any key, which will run the offline rule-based fallback. - If you want OpenAI integration, consider modifying the code to separate license_key and openai_api_key clearly, and ensure only the license_key (not the OpenAI key) is sent to the vendor endpoint — or better, remove automatic transmission of any user-provided OpenAI key to third parties. - If you plan to use this in a sensitive environment, audit the VALIDATE_API_URL behavior and decide whether you trust that endpoint; consider running with api_key unset (offline fallback) or running a local patch that disables remote validation. Given these inconsistencies (offline promise vs network activity and ambiguous key handling), treat installation as potentially risky until you confirm how keys are used and where they are sent.