bleisure-micro-vacation

The skill bundle functions as a travel assistant but utilizes high-risk execution patterns, including shell command execution and local network interaction. Specifically, it instructs the agent to run a local Node.js script (`check-deps.mjs`) and use `curl` to interact with a local Chrome DevTools Protocol (CDP) proxy on `localhost:3456` to scrape Xiaohongshu data (`xiaohongshu-cdp.md`). It also performs `eval` operations within the browser context to extract web content. While these capabilities are documented as necessary for fetching real-time social media links and POI data via the Amap API, the combination of shell access, local port communication, and browser automation constitutes a significant security risk if exploited, despite the lack of clear evidence of intentional malice.