Paperzilla CLI

The SKILL.md describes a CLI for Paperzilla and the runtime instructions are limited to installing and using the 'pz' CLI — this is consistent with the stated purpose. However, the registry metadata at the top of the evaluation says 'Required binaries: none' while the SKILL.md metadata declares a required binary 'pz' and provides install instructions. That mismatch between declared registry requirements and the skill's own instructions is inconsistent and worth clarifying with the publisher.

The instructions remain within the Paperzilla CLI domain (install pz, run 'pz login', 'pz feed', etc.). They do allow overriding the API endpoint via PZ_API_URL and note that '--atom' prints a feed URL containing an embedded token. Those two items (custom API URL + embedded token output) increase the risk of misconfiguration or accidental token exposure, but they are feature-level behaviors of the CLI rather than outright scope creep (the SKILL.md does not instruct the agent to read unrelated system files or other credentials).

No formal install spec was included in the registry entry, but the SKILL.md provides platform-specific install commands: a brew tap (paperzilla-ai/tap), a Scoop bucket from GitHub, and a Linux curl from a GitHub releases URL. These are common distribution mechanisms and use recognizable hosts (GitHub, Homebrew). The Linux command uses a curl | tar xz pipe and then moves a binary into /usr/local/bin, which is a standard pattern but carries the usual risk of running a downloaded binary — you should verify the GitHub release and repository owner before running it.

The skill declares no required environment variables and does not request unrelated credentials, which is proportionate. However, it documents an override variable (PZ_API_URL) that lets the CLI talk to a custom endpoint and it explicitly indicates the '--atom' flag prints a URL with an embedded feed token. Both features can be abused or cause accidental credential/token leakage (e.g., pointing PZ_API_URL to an attacker-controlled host or sharing an atom URL with an embedded token). The skill does not declare any primary credential; 'pz login' appears to be interactive, but the SKILL.md does not explain the authentication flow (OAuth vs password), which is a minor gap.

The skill does not request always:true, does not claim elevated system privileges, and does not declare config paths or persistent agent-level changes. Agent invocation defaults are normal. There is no evidence the skill would modify other skills or system-wide settings.