The Agent Skills Directory

[CREDENTIALS_UNSAFE]: Multiple scripts including search.py, detail.py, and img_search.py contain a hardcoded static api_key (dafe77e7486f46eca2e17a256d3ce6b5). Additionally, the exchange_link_builder.py utility found in several sub-skills includes a hardcoded secret key (5fb86e55b72bfc50f083049130e5e76a75c2cbda6bbd6e51d59668057f5c1715) used for HMAC-MD5 signing of product links.
[COMMAND_EXECUTION]: The qr_code_client.py script in the login sub-skill uses subprocess.run to execute host system commands like 'open', 'xdg-open', or 'startfile' to display QR code images to the user. While functionally necessary for this specific use case, it represents a dynamic execution pattern.
[EXTERNAL_DOWNLOADS]: Documentation and instruction blocks in README.md and SKILL.md direct the AI agent to automatically execute 'clawhub install' for various sub-skills. This pattern instructs the agent to download and install external code at runtime.
[DATA_EXFILTRATION]: The skill suite manages sensitive user session cookies (PASSPORT_ACCESS_TOKEN) and stores them in a local JSON file (~/.vipshop-user-login/tokens.json). While these tokens are transmitted to official vendor domains, the local storage and programmatic handling of session credentials create an expanded attack surface for potential data exposure.

vipshop-skills