Sfe Dm Data Viewer

This skill appears to implement the functionality it claims, but there are several red flags you should consider before installing or running it: - Secrets / env vars: The included scripts require an app key via XG_BIZ_API_KEY or XG_APP_KEY, but the skill metadata did not declare this. Expect to provide that secret if you run the scripts. Only set such keys if you trust the API and code. - Automatic install of another skill: SKILL.md tells the agent to run 'npx clawhub@latest install cms-auth-skills --force' (and a GitHub fallback). That will download and install external code at runtime. Review the cms-auth-skills code/repo first and avoid automatic installs from unknown sources. - Missing runtime assumptions: The instructions assume 'npx'/'clawhub' are available; the skill metadata did not declare required binaries. If the agent attempts to run those commands and they are present, code will be fetched and executed. - TLS verification disabled: Both API scripts call requests.post(..., verify=False), which disables HTTPS certificate verification — this makes network communication vulnerable to MITM and could leak the app key. You should modify scripts to use verify=True (or remove the flag) before running in production. - Code review: The TOON encoder is large but appears to be a serialization utility. Still, review the cms-auth-skills (if installed) and included scripts for any additional network calls, logging of secrets, or persistence of credentials. Recommendations: do not let the agent auto-run the npx install; instead manually inspect cms-auth-skills repository and the included scripts. Fix verify=False, ensure you only provide the minimal API key needed, and run the scripts in a controlled environment first (or run curl requests manually if you prefer). If you are not comfortable reviewing the external cms-auth-skills code, avoid installing or running this skill.