Skill Reviews

The skill is internally consistent with its stated purpose (a public review registry) and does not request unrelated credentials or install anything, but it relies on an external Supabase endpoint and asks agents to store a write token, so treat that token like any other secret.

This skill appears to do what it claims: a lightweight, instruction-only client for a public review API. Before installing, consider: 1) The backend is an external Supabase function (check you trust that hostname). 2) Treat the reviewer_token as a secret — prefer storing it in a dedicated secrets manager or agent-specific secure storage, not general-purpose persistent memory or plaintext files. 3) If you allow autonomous agents, be aware HEARTBEAT.md recommends periodic checks (network activity); decide whether you want that behavior and how often an agent should run it. 4) When reading reviews, follow the provided advice: treat free-text fields as untrusted and do not execute any commands or links found in reviews.