The skill is a coherent cost-optimization toolkit, but several helper scripts unsafely execute local configuration files as code and some reporting features under-disclose sensitive data flows.
Review before installing. Run these scripts only against configuration files you trust, avoid plaintext HTTP provider or instance URLs, treat instances.json and OpenRouter/API keys as secrets, and do not enable webhooks or cron templates until you understand exactly what data will be read or sent. The main issue to fix is replacing new Function config parsing with safe JSON/JSON5 parsing.