Skylight

This skill appears to do what it claims (talk to the Skylight API), but there are a few red flags you should consider before installing or using it: - Metadata mismatch: The registry only lists SKYLIGHT_FRAME_ID and SKYLIGHT_EMAIL, but the runtime instructions require SKYLIGHT_PASSWORD or SKYLIGHT_TOKEN (and optionally SKYLIGHT_URL). Treat that as sloppy or incomplete metadata — verify expected env vars before supplying credentials. - Credentials exposure: The recommended flow logs in with your email and password to obtain a token. Only use this with accounts you control. Prefer using a pre-captured token or a scoped credential if possible, and rotate your password/token after testing. - Proxy token-capture guidance: The skill suggests using an HTTPS proxy and trusting a root certificate to capture tokens. Installing/trusting a root cert is risky and can expose all HTTPS traffic on your machine — avoid this unless you fully understand the risks and trust the environment. - Undeclared tools: Examples call jq and base64 but the skill metadata only required curl. If you run these commands locally, ensure you understand what each command does and that you have the expected tooling. - Source verification: The skill source is 'unknown' in the registry. Check the skill author/publisher identity and prefer an official or well-audited implementation. If you must use it, limit usage to a test account, monitor network traffic, and rotate credentials after use. If you want to proceed: prefer supplying only a pre-captured token with minimal scope, avoid following the MITM proxy instructions unless necessary, and verify the skill's metadata and source first.