Feature Forge

What to check before installing: - Metadata mismatch: SKILL.md and claw.json require node/npx/git and NEXT_PUBLIC_SUPABASE_* env vars, but registry 'Requirements' listed none; confirm with the publisher which is authoritative and why the registry record differs. - Filesystem & command execution: The skill will read and modify your repo and run commands (npx, tsc, tests). Run it only on a disposable branch or in a sandbox/container so changes are reviewable and won't affect production. - Env vars: The requested env vars are client-side/public Supabase keys (lower risk), but ensure no admin/service_role keys are ever provided. The skill states it will not read .env files; nevertheless, avoid running it in environments where secrets are accessible to the agent runtime. - Source provenance: The registry 'Source' was unknown and homepage was missing in the earlier summary, though claw.json references a GitHub URL. Prefer skills with a verifiable source repo and a known author—ask for the upstream repo link and inspect it yourself. - Review outputs: Require the skill to produce a patch/PR or a list of file diffs rather than committing directly, and review generated migrations and API routes before applying to your database. If the publisher provides a public repo that matches the published metadata and you can run the skill in an isolated environment (or it can be constrained to only output diffs), the risks are much lower. If you cannot verify provenance or cannot sandbox execution, do not grant it filesystem/command execution access to important repositories.