Brand Visibility Monitor

The skill's code largely matches its stated purpose (web-scraping AI platforms, scoring, and optional push/paid features), but there are notable inconsistencies around required environment variables and an included API service that make the package incoherent and worth caution.

What to consider before installing/running: - Incoherence: The registry says no env vars are required, but the code expects TAVILY_API_KEY (and the API server will raise an error if that env var is missing). Confirm whether you need the Tavily/yk-global API for your use case; if you don't plan to run the included Flask API, you can ignore that file but be careful when importing the package. - External endpoints: The code contacts api.yk-global.com and api.tavily.com (license/paid verification and search proxy) and can POST reports to Feishu webhooks. Review and verify trust in those domains before providing API keys or webhooks. - Local side-effects: The tool launches headless browsers via Playwright (network access), writes a local quota file (.geo_quota.json by default) and may write temp reports under /tmp. Run in an isolated environment (container/VM) if you are unsure. - Secrets handling: Do not set unrelated sensitive credentials (AWS, GCP, database passwords) as env vars. Only provide GEO_API_KEY / TAVILY_API_KEY if you trust the service; Feishu webhook URLs will receive full reports — only give a webhook for a group you control. - Practical steps: (1) Inspect/remove or sandbox api/geo_api.py if you won't run a Flask server; (2) run the CLI scripts in a chroot/container or CI runner; (3) verify the domains (yk-global.com, tavily) and their privacy/terms; (4) keep Playwright isolated and ensure you understand network traffic; (5) ask the author to remove the hard failure on missing TAVILY_API_KEY or to document required env vars in the registry metadata. Given the mismatches and external network behavior, proceed only after resolving the env-var/API questions or running the skill in a sandbox.