qlik

This skill appears to be a functional Qlik Cloud integration, but there are important inconsistencies and privacy risks you should address before installing: - Metadata mismatch: The scripts require QLIK_TENANT and QLIK_API_KEY and need bash, curl, and python3, but the registry metadata declares none of these. Ask the publisher to update the skill manifest to explicitly require QLIK_TENANT and QLIK_API_KEY and list required binaries. - Do NOT store API keys in plaintext files (TOOLS.md or repository): SKILL.md tells you to add the API key to TOOLS.md which could leave secrets in your repo or agent workspace. Instead, keep the Qlik API key in a proper secret store or as an environment variable injected at runtime with minimal scope. - Review all scripts before running: Although the provided snippets call only the tenant URL and parse JSON, you (or an administrator) should quickly scan the remaining files (14 omitted in the manifest) to ensure there are no unexpected external endpoints or obfuscated/exfiltration logic. - Principle of least privilege: When generating the Qlik API key, restrict its permissions to only what the skill needs (read-only for queries, minimal write permissions only if you intend to create/delete apps or trigger reloads/automations). - Test in a safe environment: Run the scripts in an isolated environment or with a dedicated test tenant/account first to verify behavior and outputs. If you want to proceed, request that the publisher update the skill metadata to declare the required env vars and binaries and remove guidance that encourages storing secrets in repository files. If the publisher cannot or will not fix these mismatches, treat the skill as higher-risk and avoid installing it in production contexts.