xiaoya-auto-doing

This skill appears to implement browser-driven login and page capture for whut.ai-augmented.com, but there are a few red flags to consider before installing or using it: - The script calls the external 'agent-browser' CLI, but the skill metadata does not list that binary as required. Verify you have a trusted agent-browser binary installed and understand its permissions. - SKILL.md mentions a 'scripts/whut-open' wrapper that is not present in the provided file manifest. Confirm which file you should run (scripts/auto_login.py is present and appears to be the main script). - The skill reads credentials from WHUT_USERNAME/WHUT_PASSWORD or from a local JSON file. Do NOT store real credentials inside the skill package. Prefer environment variables or a secure secret store, and use a throwaway/test account when first trying the skill. - The tool captures full page text and saves it to latest_page_dump.json, which may include sensitive or personally identifiable information. Treat those outputs as sensitive local data. - Because the code uses subprocess to call agent-browser, inspect and trust that CLI (and its network/browser behavior) before running. Run the skill in a restricted environment (e.g., dedicated VM or container) if you are uncertain about origin/trust. If you want to proceed safely: (1) confirm/put agent-browser on PATH from a trusted source, (2) do not place real credentials in the skill folder, (3) test with a non-sensitive account first, and (4) inspect runtime outputs for unexpected network calls or sensitive data being written or transmitted.