The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill uses the 1Password CLI (op) to retrieve cleartext passwords and usernames for TikTok and email accounts. Instructions in loginRef.md and regenerate-mlx-token.py use the --reveal flag to fetch sensitive secrets into the execution environment, where they are then used in shell commands and browser automation.
[EXTERNAL_DOWNLOADS]: The skill performs remote code execution and software installation during its setup and operation. SKILL.md triggers an update via npx skills update from 'fstack', and peekabooRef.md installs the 'peekaboo' utility via Homebrew.
[REMOTE_CODE_EXECUTION]: The 'Nightly Audit' protocol defined in nightlyAuditRef.md creates a self-modifying code loop. An automated agent analyzes log data from TikTok and Airtable and performs git-based modifications to the skill's own scripts (tiktok-warmup-poc.py) and instructions (runtimeLearnings.md, auditLogs.md). This creates a significant attack surface where untrusted data from the web can influence code changes.
[COMMAND_EXECUTION]: The skill makes extensive use of Python's subprocess and os.system equivalents to execute a wide range of external CLI tools, including git, op, curl, ffmpeg, and peekaboo. This reliance on external binaries increases the potential for command injection if inputs are not properly sanitized.
[DATA_EXFILTRATION]: The skill captures and transmits sensitive data to multiple third-party services. Screenshots of browser and mobile cloud phone sessions are taken during operation and sent to Telegram (executeWarmupsServerRef.md). Operational logs and engagement metadata are also transmitted to Supabase and Airtable.

tiktok-warmup