Tech News Digest

Name/description (tech news digest from RSS/Twitter/GitHub/Reddit/web) match the bundled scripts, templates, and config files. Declared binaries (python3 + optional mail/gog/gh/openssl/weasyprint) and optional API keys align with fetching, PDF generation, GitHub token generation, and email delivery. The README's marketing about one-line install is optimistic but not malicious.

Runtime instructions explicitly read config/defaults/, scripts/, and the workspace archive, and write temporary outputs to /tmp and archive files in <workspace>/archive/tech-news-digest/. This is expected for deduplication and archive-based behavior, but means the skill will read files under the agent workspace and may read a GH app private key file path if provided. The SKILL.md also documents safety rules (e.g., do not interpolate untrusted content into shell args).

No install spec — instruction-only (lowest install risk). The repo contains Python scripts and a requirements.txt; SKILL.md states the skill does not run pip install automatically. There are no downloads from untrusted URLs or extracted archives in the install metadata.

All API keys and credentials (Twitter/X, twitterapi.io, Brave/Tavily, GitHub token or GitHub App fields) are optional and appropriate for the listed external integrations. The only sensitive file access is the optional GH_APP_KEY_FILE (private key PEM) used to generate a GitHub App JWT via openssl if the user enables that flow — this is proportional to the auto-token generation feature but requires the user to supply a private key file. No unrelated credentials are requested.

always:false and no indication the skill modifies other skills or system-wide agent settings. It writes archive files under the workspace and temp files in /tmp (expected for pipeline/attachments). Autonomous invocation is allowed (platform default), but not elevated here.