GEO Master - 品牌AI可见性监控

The skill's code generally matches its stated purpose (crawling AI platforms, scoring visibility, Feishu push), but there are internal inconsistencies and a few concerning omissions (an undocumented Tavily API key and an included API service) that warrant extra review before installing.

What to check before installing: - Be aware this package contains executable Python scripts (Playwright crawler, analyzer, quota, and a Flask API) — not just documentation. You will need to install Playwright and other Python deps. - Review api/geo_api.py: it includes a hardcoded-looking TAVILY_API_KEY default and provides a Flask /search endpoint that forwards queries to Tavily. Ask the maintainer what that key is and whether the API server should be run locally or exposed publicly. Do not run the API server publicly unless you trust the code and key handling. - Confirm Feishu webhook configuration: if you supply a Feishu webhook, the skill will post the full report content to that endpoint (ensure the webhook goes to a group you control). - Audit credentials and secrets: prefer setting GEO_API_KEY and any AI/third-party tokens in environment variables under your control. Remove hardcoded keys from the code before deploying. - Run in an isolated environment first (e.g., container or VM) because the crawler will make network requests to many third-party AI sites and will save files (quota file and /tmp report). - If you do not intend to use the included API service, avoid running api/geo_api.py or installing/starting the Flask/gunicorn stack. If you want me to: I can (a) point to the exact lines with the hardcoded Tavily key and API behavior, (b) suggest safe modifications to remove the embedded key and minimize network exposure, or (c) produce a trimmed-down version that only includes the CLI scripts (no api server).