Google Keep

Name, description, and the provided Python CLI (gkeep.py) implement Google Keep operations via gkeepapi (list, search, create, archive, delete, pin, etc.). Required binaries list includes 'gkeep', which matches the CLI provided. No unrelated services or credentials are requested.

SKILL.md stays on-purpose (login, list, search, create, manage notes). It documents the use of an app password and that tokens are stored at ~/.config/gkeep/token.json. Minor mismatch: SKILL.md says first run bootstraps a venv at 'skills/gkeep/.venv' but package.json/postinstall would create '.venv' in the package directory — the runtime code itself does not reference that venv path. No instructions ask to read or exfiltrate unrelated files.

There is no explicit install spec provided to the platform (instruction-only), which is low-risk. However, the bundle includes a package.json with a postinstall script that will create a Python venv and pip-install requirements if an npm install were run. That postinstall is not executed by the platform by default but is important to notice if you manually install via npm or run package scripts.

The skill declares no required environment variables, which is appropriate. The code does read an optional GKEEP_PASSWORD env var during login (fallback to interactive prompt) but this env var is not declared in metadata — benign but a minor documentation gap. Tokens (keep.getMasterToken()) are saved to ~/.config/gkeep/token.json with 0o600 permissions per the code, which is expected for local credential storage.

always:false and normal invocation settings. The skill persists a token in the user's home config directory (expected for a CLI client) and may create a local venv when installed/run; it does not request system-wide privileges or modify other skills.