公众号爆款文章查询

This skill mostly does what it claims (it calls an included Python script to fetch and format WeChat public-article trend data), but there are red flags you should consider before installing or using it: - The script calls a third-party API at onetotenvip.com. If you run the skill, your query keywords (and possibly other context) will be sent to that host. Only use it if you trust that service. - The script disables TLS certificate verification and deliberately avoids sending SNI (server name) when establishing HTTPS connections. This makes network connections opaque and can be used to evade interception detection — a risky implementation choice. Avoid sending sensitive or private keywords/data via this skill. - The SKILL.md lists the 'requests' library dependency, but the script does not use requests; this inconsistency may be benign but is worth asking the author about. Recommendations: - If you must use it, run it in an isolated/sandbox environment or on a machine/network where you can monitor outbound traffic (so you can see what is sent to onetotenvip.com). - Ask the skill author for the API provider's documentation and why TLS verification/SNI were disabled; prefer a version that uses verified TLS (requests or urllib with certificate validation) and a documented, trusted backend. - Do not use the skill for queries containing sensitive, confidential, or personally identifiable information until you can verify the remote service's trustworthiness. - If you have the capability, examine (or ask the author to publish) the remainder of the script to confirm there is no additional behavior (file reads, credential harvesting, unknown callbacks).