ℹ
Purpose & Capability
The name/description promise a read-only plan/advice generator — the included Python script implements local report generation (Excel/MD) and does not perform write operations to external ad platforms. Dependencies (pandas, openpyxl) match that purpose. However metadata and docs mention optional Taobao API usage (read-only) but the skill does not declare or require any Taobao API environment variables; requirements include 'requests' though the current code doesn't use it. There is also an ownerId mismatch between registry metadata and _meta.json, which suggests packaging dishonesty or an incorrect import.
✓
Instruction Scope
SKILL.md and README instruct running the included script to generate reports and explicitly state the tool will not execute ad operations. The code creates local 'reports' and 'logs' files and prints reminders to perform manual actions. There are no network calls or unexpected external endpoints in the code as provided.
✓
Install Mechanism
No install spec; this is an instruction+code skill. Dependencies are provided in requirements.txt (standard PyPI packages). Nothing is downloaded from arbitrary URLs or executed during install.
!
Credentials
The script calls load_dotenv() and the README references a .env.example/.env for optional Taobao API keys, but the skill manifest lists no required env vars and the package as delivered does not include .env.example in the file manifest. That mismatch means the skill could read secrets from a .env if present (potentially API keys) even though no API usage is implemented today. The presence of 'requests' in requirements increases the potential blast radius if the code is modified later to call external APIs. Also the _meta.json ownerId differs from the registry ownerId, which raises provenance concerns.
✓
Persistence & Privilege
always=false and user-invocable=true. The skill only writes logs and report files under its own directory (./logs, ./reports). It does not request persistent system-wide privileges or modify other skills' configs.
What to consider before installing
Key things to consider before installing or running:
- Provenance: verify the skill author/owner (ownerId mismatch in _meta.json vs registry) before trusting it with secrets or production use.
- Do not place any sensitive credentials in a .env file in the skill directory until you audit the code. The script calls load_dotenv() and would read any env vars present, even though current code does not use external APIs.
- The bundle is currently buggy: the main script contains syntax/argparse issues (non-ASCII/fullwidth commas and unusual option names) that will likely cause the CLI to crash; treat it as not production-ready and review/fix code before use.
- Run in a sandboxed environment (isolated VM or container) and inspect the code yourself (or have a developer review it). Check for hidden network calls or added code that could use 'requests' to exfiltrate data.
- If you intend to use Taobao API keys for optional features, only provide minimal read-only credentials, store them securely, and confirm the skill actually needs them. Prefer creating a limited test account for this skill.
- Suggested remediation before trusting: fix the CLI syntax errors, remove unnecessary dependency 'requests' if not used, add an explicit list of expected environment variables if API calls are supported, and correct the metadata/packaging inconsistencies.
Confidence is medium because the code is straightforward and presently local-only, but the provenance/packaging mismatches and the presence of dotenv + unused networking deps introduce nontrivial risk if the package is modified or the missing files are added later.
