What to check before installing: - Metadata mismatch: the registry metadata declared no required env vars but SKILL.md and the script require DISCORD_WEBHOOK_URL — confirm this and update metadata before installing. - Do NOT put your Discord webhook secret into a global OpenClaw .env unless you accept that other skills/processes could access it. Prefer storing the webhook in a skill-specific .env mounted only into the skill folder, use a secrets manager, or pass it at runtime if the platform supports per-skill secrets. - Review scripts/install.sh: it runs pip install and attempts --break-system-packages first. If you're running in a production container, prefer installing dependencies into a virtualenv, image build step, or Dockerfile to avoid changing host/system packages. - Verify the webhook channel permissions: create a dedicated webhook with minimal permissions and a dedicated channel for notifications to limit impact if the webhook leaks. - Confirm the scraper behavior is acceptable (rate limits, robots.txt, target URLs) and that the skill will not run at a frequency that could trigger rate limits or blocking. - Inspect and control file write location: the script writes data/seen_tickets.json under the skill directory. Ensure directory permissions are appropriate and the data directory is not world-readable if that matters. - If you need lower blast radius, consider running this skill in an isolated container where the webhook env is supplied only to that container, or modify the skill to accept the webhook as an explicit argument rather than requiring global env changes. Given these points, the package appears to implement the stated functionality, but the deployment guidance increases secret exposure and the metadata inconsistency should be resolved — treat the package as suspicious until you confirm safe deployment practices.