ℹ
Purpose & Capability
The code implements the stated live-check and alerting functionality (user registration, checkin, scheduled checks, multi-channel notifiers). However there are clear copy‑paste artifacts (strings like 'GitHub Trending Monitor', email/telegram/discord functions named sendTrendingReport and messaging that references trending repos) that are unrelated to an 'alive check' service and indicate the code was reused without full adaptation.
!
Instruction Scope
SKILL.md and README instruct normal install/run and specify required config (SKILLPAY_API_KEY and optional notifier tokens). The runtime code reads/writes local data under ./data (users.json/checkins.json) — expected. But SKILL.md/README list SMS and other features that are not implemented (no SMS notifier file), and some notifier functions are mismatched (they expect 'repos' but are called with empty arrays and a message passed in options). Also the manifest/registry metadata earlier claimed 'required env vars: none' while the docs and code expect SKILLPAY_API_KEY — this inconsistency is concerning.
✓
Install Mechanism
This is an instruction + npm project (no external download URLs). Dependencies are standard npm packages (express, axios, telegraf, discord.js, nodemailer, node-cron). Installation via npm install/npm start is typical; no high-risk installers or arbitrary remote archives are used.
!
Credentials
The service legitimately needs a payment API key (SKILLPAY_API_KEY) and optional notifier tokens. However the skill manifest/registry metadata claimed no required env vars while SKILL.md, README, and src/index.js expect SKILLPAY_API_KEY and notifier tokens — a mismatch. Worse, skill.json in the package contains an apparent SKILLPAY API key value embedded in the repo (hardcoded secret) which is unexpected and risky (secret leak / can be abused).
✓
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It persists user data to a local data/ directory (users.json/checkins.json) and schedules periodic checks via node-cron — behavior consistent with a monitoring service. Autonomous invocation (default) is enabled, which is expected for this kind of scheduled monitor.
Scan Findings in Context
[hardcoded_api_key] unexpected: skill.json contains a long SKILLPAY-like apiKey value embedded in the repository. API keys should not be hard-coded in published packages or manifests; this looks like a secret leak or placeholder that could be abused.
[copy_paste_artifacts] unexpected: Multiple notifier modules and email/telegram message templates reference 'GitHub Trending Monitor' and use function names like sendTrendingReport — inconsistent with the 'alive check' purpose and indicating reused code that wasn't fully adapted.
What to consider before installing
Key things to consider before installing or using this skill:
- Do not treat the bundled apiKey as safe: skill.json contains a hard-coded SKILLPAY-looking API key. Assume it is leaked or invalid; if you use the SkillPay integration, replace it with your own key and rotate any exposed key immediately.
- Manifest vs. docs mismatch: the registry metadata said no required env vars but SKILL.md/README and the code expect SKILLPAY_API_KEY and optional notifier tokens (Telegram/Discord/Email). Make sure to supply secure credentials via environment variables, not by embedding them in files.
- Copy‑paste artifacts: notifier code and templates reference an unrelated 'GitHub Trending Monitor'. This is likely reused code; review notifier behavior carefully so alerts sent to contacts contain correct information and no unexpected content.
- Test in an isolated environment: run the service locally in a sandbox, with test users and test contact endpoints (not real emergency contacts), to confirm notifications and scheduled checks behave as expected.
- Privacy and safety: the skill stores user data locally (data/users.json, data/checkins.json). Ensure the host environment has appropriate disk encryption, backups, and access controls. Confirm compliance with local laws and the consent of monitored users.
- Payment integration: verify SkillPay endpoint (https://api.skillpay.me) and confirm what data is sent during payment verification/logging; consider running with SKILLPAY disabled until you audit it.
- Before production use: eliminate unused/incorrect code (trending-related templates), ensure SMS notifier is implemented if you plan to rely on SMS, and conduct code review or security audit if real people’s safety depends on the system.
If you want, I can list the exact lines/files where the hard-coded apiKey and the 'GitHub Trending Monitor' strings appear and suggest concrete changes to sanitize the code.
