ℹ
Purpose & Capability
The skill's stated purpose (fetch Douyin hot lists, produce analysis and HTML visualizations) aligns with the included scripts that call an external API and generate HTML. However the code connects to a third-party host (onetotenvip.com) via a hard-coded IP (8.154.41.7) using low-level socket+ssl rather than normal HTTPS libraries—an unusual implementation detail that isn't justified by the description.
!
Instruction Scope
SKILL.md / core-workflow enforces strict runtime behaviors that the code and environment do not actually support: it mandates (a) reading assets/core-workflow.md first, (b) immediate generation and in-reply dumping of complete HTML content and a PDF, and (c) recording/automatically pushing hourly/daily subscriptions. The scripts themselves (1) strip whitespace from titles and generate synthetic summaries, which contradicts the SKILL.md's repeated 'do not modify' / 'output original data' rules, and (2) provide no implementation for scheduling pushes or producing a server-side push delivery. The instructions therefore give the agent broad, unrealistic responsibilities and contain direct conflicts with the code.
✓
Install Mechanism
No install spec and no external package downloads are present (instruction-only with local Python scripts). That lowers installation risk. The only risk comes from included code executed at runtime (see other dimensions).
✓
Credentials
The package requests no credentials, environment variables, or config paths. The included scripts likewise do not use sensitive environment variables. This is proportionate to the stated purpose.
!
Persistence & Privilege
The workflow insists on scheduling and delivering recurring pushes (hourly/daily) and on 'recording' subscription preferences, but the skill has no declared mechanism, install step, or persistent storage for scheduled background jobs. The skill's manifest does not request 'always: true', yet the docs assume persistent, autonomous push behavior—this is an incoherence that could lead to unexpected behavior or broken promises.
What to consider before installing
Things to consider before installing or running this skill:
- Unknown upstream API: both scripts call https://onetotenvip.com via a hard-coded IP (8.154.41.7). Ask the author for the data source, why that host/IP is used, and whether it is a trusted vendor. Hard-coded IPs can hide where data is going.
- Disabled TLS verification & no SNI: the code sets verify_mode=CERT_NONE and server_hostname=None. That disables certificate validation and SNI, making the TLS connection vulnerable to interception and removing a key authenticity check. Request a justification or a change to standard HTTPS requests (requests/urllib with proper cert validation).
- Contradictory data rules: SKILL.md forbids modifying API data, yet the scripts remove whitespace from titles and generate synthetic 'desc' text. Decide whether you trust the generated summaries and the fact that titles are altered; this contradicts claims of 'do not modify' original data.
- Push/subscription model is not implemented: the docs require hourly/daily push and recording preferences but there is no background scheduler, persistence mechanism, or service endpoint. Clarify how subscriptions are stored and how pushes are delivered (webhook, email, external service?). Without this, promised automation cannot function.
- Forced HTML/PDF output and in-reply dumping: the workflow requires the agent to generate HTML files and embed full HTML and PDF content directly in responses. This can leak content into chat and may be impractical (binary PDFs), and the scripts only produce HTML (client-side JS for PDF). Confirm whether you want the agent to output full files to chat and who can read them.
- If you plan to use it: run the scripts in an isolated environment first, inspect network traffic, and consider replacing the low-level socket calls with standard HTTPS libraries that validate certs. Ask the author for source/reference (homepage, official API docs), and for a clear design for subscription persistence and delivery.
What would change this assessment: Availability of an authoritative source/homepage or repo, an explanation for the hard-coded IP and disabled TLS checks (or better: removal of those practices), a clear and safe subscription/push implementation, and alignment between 'do not modify data' rules and the actual code would raise confidence and could make this benign. Absent those, treat the skill cautiously.
