Streaming Buddy

Things to check before installing: 1) API key handling: The skill's metadata claims TMDB_API_KEY is an environment variable, but the script reads the key from $WORKSPACE/memory/streaming-buddy/config.json. Decide which you prefer. If you want to use an environment variable, inspect/modify handler.sh to accept ${TMDB_API_KEY} from the environment (or store the key locally if you prefer not to expose it as a process env). 2) Undeclared utilities: The script uses md5sum and stat and relies on specific stat flags; ensure these are available on your platform (or adapt the script). The declared required binaries list only jq and curl — consider adding md5sum and verifying stat behavior. 3) Workspace permissions: The skill writes persistent data under the provided workspace path. Make sure that workspace is a directory you trust and that sensitive credentials are stored where you expect. The config.json file will contain your API key in cleartext if you follow SKILL.md instructions. 4) Network traffic: The handler performs outbound HTTPS calls to api.themoviedb.org (expected). The references mention JustWatch's GraphQL endpoint only as an alternative; the shipped handler does not call JustWatch directly. If you see any modifications to the script that call other endpoints, review them carefully. 5) Review the full handler script: We reviewed the visible portions and found no obfuscated code or hidden endpoints, but the script is sizable and truncated in the package listing — before trusting it, open and read the entire scripts/handler.sh to confirm its behavior matches expectations (especially preference updates, any telemetry, or unexpected external requests). If these issues (env-vs-config mismatch, undeclared md5sum/stat dependency) are acceptable and you host the workspace in a place you control, the skill's behavior is coherent with its purpose. If not, request or make the small fixes above before enabling it.