The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script scripts/douban-frodo-export.py contains a hardcoded API key (0dad551ec0f84ed02907ff5c42e8ec70) and HMAC secret (bf7dddc7c9cfe6f7). These are used to authenticate with the Frodo API. Although documented as shared public credentials extracted from the Douban mobile application, hardcoding cryptographic secrets in script files is an unsafe practice.
[EXTERNAL_DOWNLOADS]: The skill performs legitimate network requests to official Douban domains (frodo.douban.com and www.douban.com) to retrieve user collection data. These operations are transparently documented and aligned with the skill's primary function of exporting user collections.
[PROMPT_INJECTION]: The skill processes untrusted external data, presenting an indirect prompt injection surface. * Ingestion points: Fetches JSON data from the Frodo API and XML from Douban RSS feeds. * Boundary markers: None present in the processing logic. * Capability inventory: Writes CSV files to the user's local Downloads directory. * Sanitization: Employs standard CSV library escaping in Python and manual character escaping in Node.js to mitigate risks associated with malformed data or CSV injection.

douban-skill