What to consider before installing/running this skill: - The included Python script contacts an unknown third‑party endpoint (onetotenvip.com) rather than an official Xiaohongshu API. Ask the author where that API comes from and whether it is trusted and permitted to serve this data. - The script disables TLS certificate verification (verify_mode = CERT_NONE) and intentionally avoids sending SNI. Those are red flags: they enable connections to servers with invalid/forged certs and can be used to evade detection. Do not run the script in a production environment or on sensitive systems until this is justified or fixed. - The instructions force the agent to fetch and embed the original coverUrl images unchanged and to analyze them with the agent's image tool. That causes many outbound requests to external hosts (potentially attacker-controlled) and can leak query terms or other metadata. If you must run it, do so from an isolated sandbox with monitored network egress. - The SKILL.md lists requests>=2.28.0 but the script does not use requests; this mismatch suggests the package was edited or assembled carelessly — request clarification from the maintainer and prefer a request-based implementation with proper TLS verification. - If you want similar functionality but safer behavior: require the API provider's provenance, use standard HTTPS clients that validate certs, or proxy all requests through a trusted service you control. Consider removing the requirement to embed unmodified remote images (download and cache after validating origin) and add logging of what is sent to external services. - If you cannot verify the endpoint or author: do not enable autonomous invocation; test the skill only in a restricted VM with network monitoring and no access to sensitive credentials or internal networks.