ℹ
Purpose & Capability
Code files (parser, layout, renderer) match the stated purpose. However the package also contains billing modules that call an external service (skillpay.me) and the CLI reads a FEISHU_USER_ID environment variable — billing/network calls are consistent with the Pricing section but the skill metadata declared no required env vars or credentials.
!
Instruction Scope
SKILL.md promises local-only file handling under /tmp/org-chart and the code enforces that, which is good. But SKILL.md does not document the runtime requirement that a FEISHU_USER_ID env var may be read (main.py) or that a SKILLPAY_API_KEY may be used (scripts/billing.py). The billing code performs network calls to skillpay.me which is outside the described parsing/rendering scope and is not fully disclosed in runtime instructions.
ℹ
Install Mechanism
No install spec is provided (instruction-only), which is low-risk, but the package includes multiple executable code files. Having embedded code without an install/run explanation is an inconsistency: the skill may rely on these files being executed by the agent/platform even though no install steps are declared.
!
Credentials
The skill metadata lists no required env vars, but the code reads at least SKILLPAY_API_KEY (scripts/billing.py) and FEISHU_USER_ID (scripts/main.py). These credentials are proportional to billing but should be declared. The number and naming of env vars (API key and user id) are not communicated to users — a transparency issue and a potential surprise credential exposure risk.
✓
Persistence & Privilege
The skill does not request permanent/always-on presence and does not modify other skills or system-wide settings. It enforces a confined working directory (/tmp/org-chart) and does not attempt to write outside it.
What to consider before installing
This skill largely does what it says (parsing CSV/Excel and rendering PNG org charts), but there are important mismatches you should consider before installing:
- Billing/network calls: The code includes billing modules that call https://skillpay.me. If you care about network access or data leaving the environment, ask how billing is invoked and whether uploads or metadata are sent to that service.
- Undeclared environment variables: The runtime reads SKILLPAY_API_KEY and FEISHU_USER_ID but the skill metadata declares no required env vars. If you install, verify what values are expected and avoid setting sensitive keys unless you trust the vendor.
- Code included but no install instructions: The package contains runnable Python and JS files but provides no install spec. Confirm how the platform will execute these files and whether they'll run with the permissions/access you expect.
- If you want to proceed: run the skill in a sandboxed environment, do not set production API keys until you verify billing behavior, and request the publisher to update SKILL.md/metadata to declare required env vars and clearly document the billing flow.
If you want, I can: list the exact lines that reference environment variables and external endpoints, or draft questions to send to the skill author requesting clarification.
