joox-music-player

Things to consider before installing/running this skill: - Provenance: the skill owner/source is unknown. The SKILL.md includes an external contact email (163.com) and promotional text; that is nonstandard but not proof of malice. Prefer skills from known authors or review code before trusting. - Tools to be installed: the skill tells you to install 'agent-browser' (npm) and Playwright (npx). Inspect those packages (npm page, source repo) before installing, and install them in a controlled environment if possible (container or VM). - Sensitive persistent state: the instructions save a file named joox-auth.json that contains session cookies/tokens. Treat that file like credentials — store it securely, encrypt it, or avoid saving persistent sessions if you do not trust the skill. If you must use it, place it in a restricted directory and delete it after use. - Snapshots: the agent takes page snapshots which may capture profile information or other private content. Be cautious about where snapshots are stored and whether they are uploaded anywhere. - Autonomous invocation: the skill can be invoked autonomously by default. Because it can restore sessions and control a browser, consider disabling autonomous invocation for this skill or requiring user confirmation before running. - Safe test recommendations: if you want to try it, run the automation in an isolated environment (temporary VM/container) and use a throwaway JOOX account, then inspect any files the skill writes (joox-auth.json, snapshots) and network activity. If you want, I can list the exact commands the skill will run or help you vet the 'agent-browser' npm package and Playwright installation instructions.