Beestat

The SKILL.md describes a CLI that queries Beestat/ecobee data and requires the beestat CLI plus BEESTAT_API_KEY — this is coherent with the stated purpose. HOWEVER the registry metadata shown to the scanner lists no required binaries or env vars while the SKILL.md metadata declares bins:["beestat"] and env:["BEESTAT_API_KEY"]. That mismatch is an inconsistency in the package metadata that should be resolved.

The instructions are narrowly scoped: they tell the user to install an npm package, obtain an API key from beestat.io, set BEESTAT_API_KEY, and run CLI commands to fetch thermostat, sensor, and air-quality data. There are no instructions to read unrelated local files or exfiltrate data outside the Beestat API.

This is an instruction-only skill that advises running `npm install -g beestat-cli`. Installing a global npm package is a common delivery method but has moderate supply-chain risk (npm package integrity, publisher identity, post-install hooks). The registry contains no automated install spec — the install step is manual and therefore under the user's control, but you should verify the npm package and publisher before installing.

Requesting a single BEESTAT_API_KEY is proportionate to a service that calls the Beestat API. The concern is the metadata inconsistency: the public registry/skill summary claims no required env vars while the SKILL.md requires BEESTAT_API_KEY. Ensure the agent/platform will not demand broader credentials and confirm the key's intended scope before providing it.

The skill does not request 'always: true' and does not declare persistence or system-wide configuration changes. It is user-invocable and may be invoked autonomously per platform defaults, which is expected for skills and is not by itself a red flag.