Nodetool

What to consider before installing or following this skill's instructions: - Do not blindly run the curl | bash or PowerShell iex install commands. Those execute code fetched at install time; inspect the install.sh / install.ps1 on the GitHub repo first (open the raw file in your browser or clone the repo). Prefer packaged installers or manual installation steps when possible. - The installer supports a non-interactive/silent mode; that can hide prompts and make an install opaque. Avoid using -y / -Yes until you've audited the script. - The SKILL.md shows commands that expose network services (serve --host 0.0.0.0, chat-server, proxy-daemon). If you run these, ensure proper firewalling, authentication, and that you understand which ports will be opened and to whom the service will be accessible. - The doc references auth tokens and a 'settings show' command that can surface secrets. Do not supply high-privilege credentials (cloud keys, DB admin creds) unless you trust the code and have reviewed how those credentials are stored/used. Prefer scoped, minimal-permission tokens. - Model downloads (HuggingFace/Ollama) can pull large artifacts and may require API tokens. Confirm the download URLs and whether the tool uses official model registries. - Confirm the upstream source: SKILL.md references a GitHub repository and the package.json homepage nodetool.ai. Verify those projects/owners (GitHub repo, releases, signers) before installing from them. Check for an official release instead of raw branch installs. - If you want to try it but are not comfortable auditing code, run the installer and service inside an isolated VM, container, or dedicated sandboxed machine with no access to sensitive credentials or internal networks. Given the mix of benign alignment and several operational risks (remote install script, silent install, network-facing services, secret handling) I recommend treating this as suspicious until you or someone you trust audits the referenced installer and repository.