ℹ
Purpose & Capability
Name/description (generate XHS titles) align with included files: instructions describe querying trend data and the repo contains a script that fetches XHS-related data and then the SKILL.md describes analysis+generation. Requesting no credentials and no binaries is coherent for this purpose.
!
Instruction Scope
SKILL.md and references/core_workflow.md require reading local policy files and running scripts that call an external API with the user's input as a 'keyword' parameter. That means arbitrary user-provided text will be transmitted to a third party as part of normal operation — a privacy/data‑exfiltration risk if users supply sensitive content.
✓
Install Mechanism
No install spec (instruction-only with one Python script). Not installing third‑party packages or downloading archives reduces risk; the script relies on Python standard libs and requests declared but no package install is specified.
!
Credentials
The skill requests no environment variables or credentials (good), but it sends user input to https://onetotenvip.com/... — an undocumented third‑party service. Combined with the script's behavior (see TLS handling), this is disproportionate for users who may expect local or official‑API processing.
✓
Persistence & Privilege
always:false and no install modifications. The skill does not request persistent privileges or modify other skills/config — normal and limited persistence.
What to consider before installing
Before installing, consider that this skill will send whatever text a user provides (keywords) to an external, undocumented domain (onetotenvip.com). The bundled Python script deliberately disables TLS certificate checks and omits SNI when making HTTPS connections — this is unusual and weakens authenticity/confidentiality guarantees (it can facilitate MitM or connection to nonstandard endpoints). If you plan to use it: (1) do not provide any sensitive or private inputs (passwords, PII, proprietary text); (2) ask the author for the API's owner, privacy policy, and why certificate verification/SNI are disabled; (3) consider running the skill in a network‑restricted sandbox or block its outbound requests until you validate the endpoint; (4) prefer a version that uses standard HTTPS libraries with proper certificate validation or an official/transparent data provider; (5) if you cannot validate the endpoint and purpose, treat the skill as potentially exfiltrative and avoid installing it on high‑trust/production agents.
