Films Search

The skill is designed to search for film resources across cloud drives but contains a significant local file inclusion (LFI) vulnerability in `scripts/film-search.sh`. The shell script automatically reads and expands any argument starting with the `@` character using `cat`, which allows for arbitrary file read attacks if user-supplied keywords are not sanitized. Additionally, `scripts/film-search.js` performs high-risk automated environment modifications by creating a virtual environment and executing `pip install` to fetch the `cloudscraper` dependency. While these features are intended to support the skill's deep-scraping functionality, the lack of input validation and the automated execution of remote code (via pip) pose a security risk.