scanner

What to check before installing or running this skill: - Source/package mismatches: SKILL.md's pip list mentions tradingview_ta but the code imports tvDatafeed. Confirm which library is required and whether it has additional dependencies or auth requirements. - Avoid system-wide installs: do not run the suggested pip install with --break-system-packages on a machine you care about. Instead create and use a Python virtualenv (python -m venv .venv; .venv/bin/pip install ...) to contain changes. - Confirm file paths: SKILL.md examples reference scripts/scanner.py but the bundle contains scanner.py at the repository root — run the actual file provided and/or update commands to the correct path. - Inspect full scanner.py before running: review the remainder of the file (it was truncated in the listing) to ensure there are no hidden network endpoints, telemetry calls, or obfuscated code that would transmit your vault contents elsewhere. - Run in demo/safe mode first: use the script's --demo mode and verify outputs locally before pointing it at your real Obsidian vault. - Limit network exposure while testing: if possible, run the scanner on a machine or environment with monitored network egress so you can detect unexpected outbound connections. Also be aware tvDatafeed scrapes TradingView and may be subject to TOS and rate limits. - Back up your Obsidian vault first and confirm that the script only writes to the output directory you specify. If the maintainer can (a) fix the documentation to list the correct dependency (tvDatafeed) and correct script path, (b) remove the recommendation to use --break-system-packages and advise using a venv, and (c) confirm there are no external endpoints in the remaining code, this would reduce the risk and could change the assessment to benign. Conversely, if the remaining code contains outbound POSTs or hidden upload endpoints, that would raise the severity.