WorkRally

The skill’s requirements, instructions, and install method are consistent with a CLI that talks to the WorkRally platform and nothing obviously unrelated or coercive is requested.

This skill appears coherent with its stated purpose, but before installing: 1) Verify the npm package provenance (publisher, package page, and checksum) to avoid a malicious package with the same name. 2) Use a scoped/minimally privileged WorkRally API key (rotate/revokeable) rather than broad or long-lived credentials. 3) Be aware the CLI persists the API key in a config file (default ~/.workrally/config.json or path set by WORKRALLY_CONFIG_DIR) — protect that file and avoid putting your API key in shared shells. 4) The CLI exposes a 'tools call' passthrough that can invoke many server-side actions — only grant the agent permission to run commands you expect. 5) If you have concerns about running third-party npm code, review the package source or run it in a restricted/sandboxed environment first.