sprint-release-notes

Things to consider before installing or running this skill: - It requires a GitHub Personal Access Token (PAT) with repository (write) and Projects access to create/update Releases. The registry metadata does NOT declare this; expect the skill to ask you for the PAT at runtime or to read it from the included references/config.yaml file. - The package includes a sample references/config.yaml where users might be tempted to paste their PAT. Storing long-lived tokens in plaintext files is risky; prefer using a short-lived token or entering the token interactively and avoid committing it to disk or version control. - The code and instructions are coherent with the stated purpose (reading ProjectV2, PRs, commits, README, creating Releases), but the presence of a Discord webhook entry in references/config.yaml is not documented in SKILL.md. Confirm whether the script actually sends data to that webhook before providing secrets — this could be an unexpected external sink. - Run the included script with --dry-run first (the run script defaults to dry-run) and review generate_release_notes.py fully to confirm where it posts outputs and whether it transmits anything outside GitHub. - Restrict the PAT's scope and lifetime (limit to only the repos/orgs needed, consider a repo-scoped token or a token with minimal write scope), and monitor its usage. If you cannot verify why the token is required or where outputs go (especially to the webhook), do not provide a PAT. - Ask the publisher to update the registry metadata to declare the required credential and to document webhook behavior explicitly. If you want higher assurance, request that the skill avoid storing credentials in local files and only accept tokens interactively or via well-documented environment variables.