Deep Search-mpro

Guidance

What to check before installing/using this skill: 1) Inspect SKILL.md for hidden characters: the pre-scan flagged unicode control characters in SKILL.md — open the file in a hex or raw-text viewer to confirm there are no invisible characters embedding alternate instructions. Remove or reject the package if you find unexpected hidden text. 2) Review local scripts before running: the repo contains scripts (e.g., scripts/data_collector.py, scripts/data_collection_template.py, check_dependencies.sh). The SKILL.md says these are not run automatically, but if you run them locally or enable them you should audit their source to confirm they do not perform unexpected network calls, upload data, or execute shell commands. 3) Check templates for external resource loading: inspect generated HTML/templates for <script> tags or CDN URLs (Chart.js, ECharts, etc.). Rendering an HTML file could trigger network requests to third-party CDNs; sanitize or host required libs locally if that is a concern. 4) Confirm provenance & run in sandbox: source and homepage are unknown. If you need to trust this skill for sensitive work, prefer running it in an isolated environment first and/or obtain the package from a known/trusted repository. 5) Limit autonomous use if unsure: the skill can be invoked autonomously by the agent. If you are uncomfortable, restrict autonomous invocation or require user confirmation before the skill runs data collection or executes any local script. 6) If you plan to enable any script execution, set strict network limits and logs: require explicit opt-in, impose request rate limits, and monitor outbound connections to detect accidental data exfiltration. If you want, I can: (a) search for specific suspicious patterns inside the repo (e.g., network calls in data_collector.py), (b) show the raw SKILL.md with invisible characters highlighted, or (c) summarize what the helper scripts do based on their source — tell me which you prefer.