The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is highly vulnerable to command injection because it uses subprocess.run(shell=True) with direct string interpolation of parameters like aweme_id, sec_user_id, and CSS selectors. An attacker providing a malicious ID could execute arbitrary shell commands on the host system.
Evidence: In douyin_sign.py, functions like _run, _navigate, and _wait_for_content interpolate variables directly into shell command strings without escaping.
[EXTERNAL_DOWNLOADS]: The skill requires the installation of external dependencies from non-standard sources, including a global NPM package (agent-browser) and Playwright browser binaries.
Evidence: SKILL.md and requirements.txt instruct the user to run npm install -g agent-browser and playwright install chromium.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) as it retrieves and processes untrusted text from Douyin (video descriptions, user signatures, and comments) and returns it to the agent context.
Ingestion points: douyin_sign.py extracts text from DOM elements in search_videos, get_comments, and get_user_profile.
Boundary markers: None. The external content is not wrapped in delimiters or accompanied by instructions to ignore embedded commands.
Capability inventory: The skill has the ability to execute shell commands (subprocess.run) and navigate the web (agent-browser).
Sanitization: Minimal. The code only performs basic whitespace stripping and string slicing.
[CREDENTIALS_UNSAFE]: The skill manages sensitive session data by storing authentication cookies in plain text within the local file system, which could be accessed by other malicious processes.
Evidence: douyin_sign.py saves cookies to data/douyin_cookie.txt and manages a persistent browser profile in data/profile.

douyin-cli