atk-ux-research

The package is a legitimate UX research skill focused on scraping and synthesizing user feedback. I found no evidence of intentionally malicious code (no obfuscation, no reverse shells, no hardcoded credentials). The primary security concerns are privacy and operational: raw scraped content (which may contain PII) is written to disk and the workflow encourages sending data and queries to third‑party services (Firecrawl, Exa, Perplexity) without documented data retention or sanitization. Additional risks: weak guidance on rate limiting/TOU compliance and potential accidental VCS commits of sensitive data. Recommendations: 1) Do not store or commit raw scraped content without sanitization — redact usernames, emails, and other identifiers. 2) Review privacy/retention policies of Firecrawl/Exa/Perplexity before providing API keys or sending scraped content. 3) Add robust scraping controls: respect robots.txt, implement exponential backoff and error handling, and avoid scraping authenticated endpoints. 4) Avoid passing secrets on command lines or committing env files; use secure secret management. Overall: operationally useful but moderate privacy/supply‑chain risk; safe to use with controls and vendor review.