Brand DNA Extractor

The instructions mostly match a brand-extraction tool, but there are inconsistencies and a few overbroad privilege/credential asks (notably a Supabase service role key and dual VLM API keys) plus implicit installation/runtime assumptions that don't line up with the registry metadata.

This skill appears to do what it says (web-scrape + visual analysis), but there are a few red flags you should consider before installing or providing secrets: - Do not provide a Supabase 'service role' key; it is highly privileged. If you want caching, prefer a restricted read/write token or skip storage entirely. - The skill will send scraped images/visuals to third-party VLMs (Google Gemini/OpenAI) — only use with sites you have permission to analyze and only if you accept that data will be transmitted to those providers. - The registry lists no required env vars but SKILL.md expects API keys; ask the publisher to clarify required credentials and why both VLM keys are needed. - There is no code bundle or install spec even though the docs show a Python package API and optional Playwright install. Confirm where the implementation lives and whether you must install third-party packages (and audit them) before running. - If you test this, run it in a constrained environment (isolated VM/container), avoid giving broad DB/service role keys, and limit crawling scope (max_subpages=0 or domain-only) until you’ve verified behavior. If the publisher can (a) provide the actual package source or a vetted install URL, (b) remove the need for a service role key or explain minimal-permission alternatives, and (c) add clear data handling/retention notes, the remaining concerns would be largely mitigated.