The Agent Skills Directory

[COMMAND_EXECUTION]: The Python script in Step 2 explicitly disables SSL certificate verification (ssl.CERT_NONE and check_hostname = False). This makes the connection vulnerable to Man-in-the-Middle (MITM) attacks where authentication cookies could be intercepted by a third party.
[CREDENTIALS_UNSAFE]: The skill instructs users to export their full session cookies from a web browser into a plain-text file (~/cookies.json). While the user is performing the action, the skill's lack of secure handling (as noted in the SSL findings) creates a high risk for these credentials.
[DATA_EXFILTRATION]: The instructions direct the agent to read files from ~/.claude/projects/*/memory/. These are internal directories used by the AI agent to store context and user history; accessing them programmatically without explicit per-file user consent represents a data exposure risk.
[EXTERNAL_DOWNLOADS]: The skill uses curl to download video files from dynamic URLs extracted from post metadata. While necessary for the skill's function, it involves fetching external binary content from remote servers.
[COMMAND_EXECUTION]: The skill utilizes shell commands (curl, ffmpeg, rm) to process downloaded media, incorporating dynamic variables like {post_id} and <视频URL> which could lead to command injection if the input source is maliciously crafted.

xhs