Panda Data Skill

Key things to check before installing or using this skill: - Metadata mismatch: SKILL.md says you must set PANDA_DATA_USERNAME and PANDA_DATA_PASSWORD and install a local panda_data/panda_tools wheel, but the registry metadata lists no required env vars or install steps. Ask the publisher to fix the metadata or document this clearly. - Verify package origin: the README/homepage points to a GitHub repo. Download and inspect the panda_tools / panda_data package source (or wheel) from that repo before installing. Prefer installing from an official release tarball or GitHub release with checksums. - Inspect CredentialManager: review the implementation of CredentialManager.init_from_env() in the panda_tools package to confirm which environment variables it reads and how it uses/transmits credentials (e.g., ensure it only sends credentials to PandaAI endpoints and does not log or post them elsewhere). - Least privilege: create a dedicated API account with minimal permissions for this skill rather than reusing high-privilege credentials. - Run in isolation: until verified, run the skill in a sandboxed environment (container/VM) and avoid exposing other credentials or sensitive data in the environment. - If you need registry transparency: request that the skill author update the registry metadata to declare required env vars and any install requirements so automated vetting and users are not surprised. These steps will reduce risk and clarify whether the credential handling and package provenance are trustworthy.