!
Purpose & Capability
The code implements Polymarket market fetching and SkillPay payment flows, which aligns with the description. However metadata is inconsistent: the top-level registry summary said 'required env vars: none' and SKILL.md omitted credentials, while skill.yaml declares SKILLPAY_API_KEY as required. The presence of an embedded SKILLPAY_API_KEY literal in main.py is disproportionate (a runtime env var should be used).
!
Instruction Scope
SKILL.md gives only a high-level description and deployment note; the actual code performs network calls to Polymarket and SkillPay and implements payment polling and charge creation. The code also enables very permissive CORS (allow_origins=['*'], allow_origin_regex='.*'). Additionally, the GET /invoke handler references an undefined API_KEY variable (likely a bug) which will raise a runtime error; this mismatch between instructions and actual runtime behavior is concerning.
✓
Install Mechanism
There is no install-from-URL behavior; requirements.txt lists standard Python packages (fastapi, uvicorn, requests, pydantic). No archive downloads or unusual install steps are present.
!
Credentials
The skill requires network access and a SkillPay API key (skill.yaml). That is proportionate to payment functionality, but main.py contains a hardcoded SKILLPAY_API_KEY string embedded in the source — this is a secret leak and unacceptable. Also SKILL.md did not document the env var requirement, and the registry summary initially claimed none, producing confusing and potentially dangerous expectations for users. If that embedded key is valid, it has already been exposed and should be rotated.
✓
Persistence & Privilege
The skill does not request 'always: true' or other elevated platform privileges and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default).
Scan Findings in Context
[hardcoded-api-key-in-source] unexpected: main.py contains a literal SkillPay API key string assigned to SKILLPAY_API_KEY. A payment-integration skill should read this from an environment variable or secret store, not embed it in source. This is a credential exposure risk.
[undefined-variable-runtime-bug] unexpected: The GET /invoke route returns API_KEY is not None, but API_KEY is not defined anywhere in main.py; this will raise a NameError at runtime. This indicates the packaged code may be untested or modified incorrectly.
What to consider before installing
Do not install or run this skill until the developer fixes the issues. Specific actions to take: 1) Treat the embedded SKILLPAY_API_KEY as compromised — do not rely on it; if you control that SkillPay account rotate/revoke the key immediately. 2) Require the developer to remove hardcoded secrets and read SKILLPAY_API_KEY from an environment variable or secret manager; update SKILL.md to document required env vars. 3) Fix the runtime bug (undefined API_KEY) and re-test. 4) Confirm the SkillPay account used is owned by the skill author and you accept paying through it; otherwise configure your own SkillPay credentials. 5) Consider the permissive network/CORS settings and ensure you are comfortable with outbound network calls to api.skillpay.me and clob.polymarket.com. If you don't trust the author or cannot get these fixes, classify this skill as unsafe to use.
