toutiao-publish-docx

This skill appears to do what it says (automate publishing to Toutiao), but there are important mismatches you should address before installing or running it: - Missing declarations: SKILL.md uses the TOUTIAO_COOKIE environment variable and specific project paths (/home/ubuntu/projects/toutiao_poster and artifact directories), but the skill metadata lists no required env vars or config paths. Confirm where cookies/sessions will be stored and whether the platform will pass TOUTIAO_COOKIE if you provide one. - Verify the runtime environment: The instructions assume a Python project and virtualenv at /.venv and a module named toutiao_poster. If that code is not present on the host, the commands will fail. If it is present, inspect that code before running — it will have filesystem access to the referenced directories. - Protect secrets: A cookie header grants access to the user's account—only supply cookies you trust and only run this on a dedicated, non-shared environment. Do not paste browser cookies in untrusted consoles. - Filesystem risk: The skill reads/moves files under absolute paths. If you run it on a shared machine, ensure those paths don't contain unrelated sensitive data. Prefer running in an isolated VM/container with minimal other data. - Improve metadata before use: Ask the publisher to declare required env vars (TOUTIAO_COOKIE, optional TOUTIAO_IMAGE_DIR) and required config paths in the registry metadata so the permission surface is explicit. If you cannot verify the presence and content of the toutiao_poster project or cannot ensure a dedicated environment, avoid using this skill or run it only after code inspection and environment hardening.