The Agent Skills Directory

[COMMAND_EXECUTION]: The _run function in douyin_sign.py executes system commands using subprocess.run(cmd, shell=True). Several functions, including _navigate and _wait_for_content, construct these command strings by interpolating variables like url and selector which are influenced by user-provided keywords and IDs from CLI arguments. This pattern is highly susceptible to command injection if an attacker provides inputs containing shell metacharacters (e.g., ;, &, or |).
[CREDENTIALS_UNSAFE]: The skill manages user authentication by storing session cookies in plain text at data/douyin_cookie.txt. These cookies, including sensitive session identifiers, are not encrypted or protected by OS-level secret storage, making them accessible to any local user or malicious process.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it ingests untrusted data from the Douyin web interface and passes it to the agent.
Ingestion points: Data is extracted from douyin.com DOM (descriptions, comments, user profiles) via agent-browser eval in douyin_sign.py.
Boundary markers: Absent; scraped content is returned without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill has the capability to execute shell commands via subprocess.run and write to the local filesystem.
Sanitization: Absent; the script perform simple text slicing but does not filter for malicious instructional patterns.
[EXTERNAL_DOWNLOADS]: The skill relies on external dependencies and tools, specifically agent-browser (installed via npm) and Chromium (installed via Playwright), which are required for its core functionality but are not from the pre-defined trusted vendor list.

douyin-cli