The Agent Skills Directory

[COMMAND_EXECUTION]: The script uses subprocess.Popen (on macOS and Linux) and os.startfile (on Windows) to display a generated QR code image for user login. These calls use a hardcoded temporary file path and are limited to standard system utilities, which prevents arbitrary command injection from external input.
[CREDENTIALS_UNSAFE]: The skill handles sensitive QQ authentication tokens (p_skey, skey). These are stored locally in a cookies.json file to maintain the user's session. There is no evidence of these credentials being exfiltrated or used in any unauthorized manner; all traffic is routed to official Tencent/QQ servers.
[EXTERNAL_DOWNLOADS]: The skill downloads image content from official QQ Zone infrastructure. These downloads are part of the core functionality and use standard, secure HTTP request patterns with appropriate headers to mimic browser behavior.

qq-zone-photo