meituan-travel

Name/description match the runtime instructions: the SKILL.md tells the agent to call the @meituan-travel/ht-ai CLI (via npx or global install) to query Meituan travel data. Required binary (npx) and MEITUAN_HT_TOKEN align with the described purpose. Minor inconsistency: the registry summary above shows "Primary credential: none" while the skill metadata and SKILL.md declare MEITUAN_HT_TOKEN as the primary credential — this is likely an authoring/metadata mismatch, not a functional red flag.

SKILL.md only instructs running the ht-ai CLI, escaping user single quotes for shell safety, reading the declared MEITUAN_HT_TOKEN env var, and formatting results. It does not ask to read unrelated files or other system credentials. It explicitly warns not to print the token. Note: the guidance cannot by itself enforce non-logging — platform/runtime must honor it.

No install spec (instruction-only), which keeps on-disk footprint low. However runtime use of `npx @meituan-travel/ht-ai` means remote package code will be fetched/executed at call time (or the user can install globally). Verify the npm package identity and publisher (official Meituan package) before allowing runtime npx downloads.

Requesting MEITUAN_HT_TOKEN is proportionate and expected. The declared required env list also includes MEITUAN_RAW_JSON, but SKILL.md treats MEITUAN_RAW_JSON as an optional flag to request raw JSON output — it does not need to be mandatory. Recommend the registry declare only MEITUAN_HT_TOKEN as required and treat MEITUAN_RAW_JSON as optional. Ensure the token's scope is minimal (only the APIs needed) before providing it.

always:false (default) and no install spec — the skill does not request permanent inclusion or write access. Metadata indicates runtime context_isolation: execution and parent_context_access: read-only, which limits privilege. No instructions try to change other skills or system-wide settings.