eswr-studio

This skill appears to do what it says (account registration and article publishing), but there are important privacy and metadata gaps to consider before installing: - The skill relies on an Elsewhere API token ($ELSEWHERE_API_TOKEN) but the registry metadata doesn't declare that credential. Ask the publisher to add the token as a declared required credential/primaryEnv. - SKILL.md instructs the agent to read .env.local and append the API token to that file and to store the token in the agent's long-term memory. Storing secrets in general-purpose assistant memory or plain files can leak them to other skills or logs; prefer keeping tokens in a secure secret store or require explicit user input each session. - The skill uses curl to fetch raw GitHub content at runtime to check for updates. This is useful but also a supply-chain signal — verify the GitHub repo and its trustworthiness before allowing automatic remote fetches. - The agent will be able to upload local files (images) via curl -F. If you allow this skill to run autonomously, it will have the ability to read local paths you point it to and send them to elsewhere.news. Recommendations before use: have the author update the registry to declare ELSEWHERE_API_TOKEN; avoid or disable saving tokens into assistant long-term memory; prefer manual token entry or a secure secret store; and review the elsewherenews domain and the GitHub repo URL to confirm they are official. If you are not comfortable with persistent storage of secrets, do not grant the skill permission to save tokens into memory or .env.local.