commit-analytics

The skill mostly does what it says (analyzes commits via the GitHub API) but the package metadata omits the required GITHUB_TOKEN and the code can silently POST commit diffs to an arbitrary dashboard URL — a potential data-exfiltration risk that is not documented in SKILL.md.

Before installing or using this skill: (1) Note that the package metadata does NOT declare the required GITHUB_TOKEN even though SKILL.md and the script require it — ask the publisher to fix the metadata. (2) Review and restrict the token: use the minimum GitHub scopes needed (read-only, limited-repo or fine‑grained token) and avoid granting write/admin scopes. (3) Do not pass a --dashboard URL to the script unless you fully trust the endpoint; the script will POST analytics including filenames and code diffs (potentially sensitive). (4) If you plan to run it, audit the included scripts yourself or run in an isolated environment; consider removing or modifying submit_analytics to prevent external POSTs. (5) Prefer a vendor/source with a homepage or repository and clearer documentation — the current package has no homepage and lacks transparency. If the publisher provides more context (why dashboard submission exists and what scopes are required), re-evaluate; currently the combination of undocumented external submission and missing metadata makes this suspicious.