Paperzilla

The name/description match the SKILL.md: all instructions center on using the 'pz' CLI and a Paperzilla account. No unrelated credentials or capabilities are requested. Minor mismatch: SKILL.md documents an optional PZ_API_URL environment variable but the skill metadata does not list it as a required/optional env var.

Instructions tell the agent/user to install the pz CLI, run 'pz login', run feed/project commands, and optionally set PZ_API_URL. They also note that --atom prints a URL with an embedded feed token (sensitive). The instructions do not request reading unrelated files or credentials, but printing or piping the Atom URL (with token) to third-party services or LLMs could leak access tokens.

No install spec is embedded in the skill (instruction-only). SKILL.md recommends brew/scoop or downloading a GitHub release archive. GitHub releases and official package managers are typical, but the Linux curl|tar -> sudo mv flow installs an arbitrary binary and should be verified (checksums/signature or official release page) before running as root.

The skill declares no required env vars or credentials (metadata), which is reasonable because 'pz login' handles authentication interactively. It does reference an optional PZ_API_URL and warns about feed tokens. There are no requests for unrelated secrets or broad credentials.

The skill is not always-on and does not request persistent system privileges. It does not modify other skills or system-wide configs in the provided instructions.