Creator Intel V5

What to consider before installing: - Filename mismatch: SKILL.md refers to scripts/generate_intel.py but the repository provides scripts/generate_brief.py. Ask the author to confirm which script is authoritative and provide a matching README or corrected files. - Hardcoded API key: the Python file contains a hardcoded TAVILY_API_KEY value. Treat this as suspicious until you verify its origin. Do not assume it is safe — it may be a disposable/dev key or someone else's credential. Prefer that the skill read the API key from an environment variable (declared in the skill metadata) rather than embedding it in code. - Undeclared credential: the skill metadata lists no required env vars, but the code calls an external API with a key. Ask the author to declare required credentials so you can manage/rotate them properly. - Network behavior: the skill makes POST requests to api.tavily.com and fetches RSS feeds. If you plan to run this skill, run it in a restricted environment or sandbox and monitor outbound connections until you confirm expected behavior. - Storage: the skill writes history to ~/.openclaw/creator-intel/history.json. If that is sensitive in your environment, run with a different HOME or modify the path. Recommended actions: 1) Request corrected files and an explanation of the hardcoded key from the publisher. 2) Refuse to use the embedded key; configure your own Tavily API key via an env var and ask the author to update the code to read from the env var (and update skill metadata to require it). 3) If you already used the embedded key, consider it compromised and rotate it with the Tavily service. 4) Run the skill first in a sandboxed account and monitor network calls and created files. Confidence note: medium — the behavior fits a news-aggregator, but the metadata/code inconsistencies and embedded credential are clear red flags that warrant verification before trusting or enabling autonomous runs.