Skills
skills/redfox-data/redfox-community/douyin-hot-trend/Gen Agent Trust Hub

douyin-hot-trend

Warn

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [DATA_EXFILTRATION]: The Python scripts scripts/hotspot_fetcher.py and scripts/gen_douyin_hot_html.py attempt to read sensitive shell configuration files including ~/.bashrc, ~/.bash_profile, and ~/.zshrc. This is used to find the REDFOX_API_KEY, but accessing these system files is a security concern as they often contain unrelated credentials and secrets.
  • [CREDENTIALS_UNSAFE]: The documentation in SKILL.md and README.md encourages users to store API keys in plain text within shell configuration files as a primary setup method, which is an unsafe credential management practice.
  • [EXTERNAL_DOWNLOADS]: The skill fetches real-time and historical Douyin trend data from the RedFoxHub API at https://redfox.hk/story/api/hotSpot/getListByPlatform using the Python requests library.
  • [EXTERNAL_DOWNLOADS]: The generated HTML reports load external JavaScript libraries, including html2canvas and jspdf, from the cdnjs.cloudflare.com CDN to handle image rendering and PDF generation.
  • [COMMAND_EXECUTION]: The core workflow described in references/core_workflow.md requires the agent to execute shell commands to run local Python scripts with user-influenced arguments.
  • [DATA_EXFILTRATION]: The references/core_workflow.md file contains hardcoded absolute Windows paths that include a specific local username (马祯), exposing information about the author's local machine environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 12, 2026, 07:50 PM
Security Audit — agent-trust-hub — douyin-hot-trend