skill-trend-analyzer ♐成为你的Skill智能管家-让你的Skill越用越靠谱🆙

The skill's code and instructions largely match its stated goal (scanning and optimizing local skills) but include broad local-file scanning, automatic sync capabilities, an obfuscated hardcoded API key, and an instruction to output full source files — these raise data-exfiltration and privacy concerns that need review before enabling cloud or automated features.

This skill appears to do what it claims (scan local skills, learn patterns, suggest optimizations) but has several red flags you should consider before installing or enabling automation: - Cloud sync and obfuscated API key: cloud_sync.py contains a hardcoded obfuscated API key and code to deobfuscate it at runtime. That enables outbound uploads to a developer-controlled endpoint — inspect the code to confirm the exact endpoint(s) and whether uploads occur only after explicit user consent. - Full-source output instruction: SKILL.md contains an instruction to output the full source of included files. Combined with local scanning code that reads other skills' files, this could expose source code or secrets. Do not enable automatic 'sync' or 'export' features until you verify what data is collected and transmitted. - Desensitization is heuristic and fallible: the skill tries to mask fields before upload, but this can miss secrets (API keys in code, config files, tokens). Assume sensitive data could leak unless you audit payload preparation (prepare_sync_payload, desensitize_data) and run a test in a safe environment. - Weak local encryption: stored keys use XOR+Base64 with machine-derived seeds — this is not strong cryptography. Treat stored values as potentially recoverable by a determined local attacker or by code running on the same machine. - Recommended next steps before enabling cloud or scheduled use: 1) Review the cloud_sync endpoint(s) and LearningAPIClient implementation to see where data goes and who owns that service. 2) Inspect prepare_sync_payload/desensitize_data to confirm exactly which files and fields are sent. Search for any code paths that include full file contents or unmasked files. 3) Run the skill in a sandboxed VM or network-isolated environment and monitor outbound network calls to see actual behavior. 4) Disable any scheduled/automatic sync and require explicit, per-sync consent. If possible, remove the bundled obfuscated API key and replace with a documented, auditable endpoint if you want to trust the cloud feature. 5) If you plan to let it scan other skills, ensure those skills do not contain confidential data; consider running a local-only mode where cloud sync is disabled. If you want, provide the manifest.json and the implementations of learn_sync.py / learn_sync_v2.py / local_skill_scanner.py / market_collector.py / prepare_sync_payload (already present) and network-call code so I can point to the exact lines that perform uploads and the exact data fields that would travel off your machine. My confidence would increase if the skill documented the remote endpoints, provided server ownership info, and implemented stronger crypto and explicit opt-in flows.