Technical Eval

This skill appears to implement a legitimate technical-evaluation workflow, but there are important mismatches you should address before installing or running it: - The package metadata declares no required credentials, yet the included tavily-config.sh and README expect a TAVILY_API_KEY stored in ~/.openclaw/.env. Treat this as a required credential unless you modify the skill. - The shell script exports every non-comment line from ~/.openclaw/.env into the environment. If that file contains other secrets (AWS keys, DB passwords, tokens), they will be injected into the skill's runtime environment. Either (a) ensure ~/.openclaw/.env contains only TAVILY_API_KEY and no other secrets, (b) modify tavily-config.sh to only read the specific variable needed in a safe way, or (c) run the skill in an isolated environment/user account. - The skill will write reports and data to ~/.openclaw/workspace/... — confirm you are comfortable with those files being created on your machine and that file permissions are acceptable. - Review network behavior: the workflow implies fetching data from many public domains (mlperf.org, github.com, stackoverflow.com, gartner.com, etc.). If you have network or privacy concerns, run it in a sandbox or restrict outbound access to only the sources you approve. - If you plan to give it the TAVILY_API_KEY, prefer creating a minimal .env that contains only that key and verify tavily-config.sh (or the runtime logic) does not send that key to unknown endpoints. Consider auditing or sandboxing the skill first. If you want, I can: (1) show a safer replacement for tavily-config.sh that only reads TAVILY_API_KEY without exporting other variables, (2) suggest a checklist to run this skill in a containerized sandbox, or (3) produce a minimal manifest update that properly declares the required env var and config paths.