Beacon

The skill's name/description (agent pings, RustChain payments, UDP/Webhook transports) align with the included code (many transport modules, RustChain transport, UDP/webhook servers, identity/keystore handling). However there are mismatches: the registry metadata claims "No install spec — instruction-only" while SKILL.md and README show pip install instructions and the package includes >80 source files (Python/JS). SKILL.md/README claim a public GitHub source but the registry listing shows Source: unknown / Homepage: none. These inconsistencies (packaged code vs 'instruction-only', and a missing homepage/source in metadata) are unexpected and worth verifying.

Runtime instructions and docs ask you to create ~/.beacon/config.json, run servers (webhook serve, dashboard), enable UDP broadcasts, and use mayday (which sends a reconstitution payload). The codebase contains a Flask backend (atlas/beacon_chat.py) that exposes relay endpoints and proxies chat to an LLM at a hard-coded internal IP (OLLAMA_URL = http://100.75.100.89:11434). The README claims mayday "never include private keys" but the mayday feature is described as sending journal digests, active goals and trust snapshots — these could leak sensitive internal data if misconfigured. The SKILL.md also says "No post-install telemetry" but the web UI and boot scripts fetch remote endpoints (e.g., swarmhub.onrender.com) at runtime. Overall the instructions/behavior permit network services and data sharing beyond what a minimal "ping" helper implies, so exercise caution.

Registry metadata lists no install spec (instruction-only) yet SKILL.md/README instruct pip/npm install and the package contains full source and CLI entry points. That mismatch is notable: this is not a pure 'instructions-only' skill — installing it will install runnable code. There is no external download from untrusted URLs in an install script inside the skill (no installer URLs flagged), but because a full codebase is bundled and pip install is recommended, installing executes more surface area than the registry metadata suggests.

The skill declares no required environment variables or primary credential, but many transports and runtime features normally require credentials (Discord tokens, RustChain wallet keys or RPC credentials, webhook endpoints, possible cloud API keys). The codebase and docs reference storage at ~/.beacon/identity (keystores), running servers on port 8071, and developer publisher instructions that mention reading tokens from local files (PUBLISH_CHECKLIST shows exporting a GitHub token from ~/git.txt). The package therefore expects or encourages secrets/config usage at runtime that are not declared in the metadata — this mismatch is a red flag for undeclared credential needs and possible accidental exposure.

always:false (good), but the code implements long-running components: a Flask backend (atlas/beacon_chat.py) intended to run on port 8071, a webhook server, UDP broadcast/listen, and CLI tools that create on-disk keystores (~/.beacon/). Those behaviors are consistent with the skill's scope but have elevated privilege/attack surface (network listeners, local keystores, inbox files). There's no indication the skill will force-enable itself platform-wide, but running it creates persistent services and files that should be run only with intent and on an appropriately isolated host.