抖音热榜 / Douyin Hot

The skill bundle is a Douyin hot list fetcher that contains multiple security vulnerabilities. It is susceptible to SQL injection in `scripts/db.py` and `scripts/query.py` because the `days` parameter is inserted into SQL queries using string formatting without proper sanitization. Additionally, `scripts/generate_html.py` produces an HTML report (`data/index.html`) that is vulnerable to Cross-Site Scripting (XSS) because it renders fetched titles directly into the DOM using `innerHTML`. While these flaws allow for potential attacks, there is no clear evidence of intentional malice or data exfiltration.