The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill relies on an external API (https://onetotenvip.com/skill/cozeSkill/getXhsCozeSkillData) to retrieve Xiaohongshu trend data. The accompanying Python script fetch_xhs_trends.py explicitly disables SSL/TLS certificate verification by setting ssl.CERT_NONE and check_hostname = False. This creates a critical vulnerability where an attacker could perform a Man-in-the-Middle (MitM) attack to view or modify the data exchanged.
[COMMAND_EXECUTION]: The skill instructions require the agent to execute a local Python script scripts/fetch_xhs_trends.py via the command line. This script contains non-standard network logic, including a manual implementation of a TLS handshake designed to omit the Server Name Indication (SNI) extension. This technique is typically used to bypass network monitoring or regional filters.
[DATA_EXFILTRATION]: User-provided keywords, search terms, and a source identifier ('小红书爆款标题创作-GitHub') are transmitted to the external domain onetotenvip.com. This domain is not a recognized service provider or a trusted vendor.
[PROMPT_INJECTION]: The skill contains 'Highest Priority' and 'Absolute Execution' instructions within references/core_workflow.md. These directives are designed to override the agent's default decision-making process and force adherence to specific behavioral and formatting constraints, which is a common pattern for steering or bypassing standard agent safeguards.

xhs-explosive-content-suite