stock-research-group

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill fetches and ingests external research reports and other public financial data (e.g., Tushare APIs and report URLs), explicitly downloading PDFs from research_report.url (analyzers/research/download.py) and passing extracted text to an LLM for parsing (interpreters/research/extract.py), and SKILL.md even mandates auto-download/parse on "read/解析" requests — exposing the agent to untrusted third‑party content that can influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches arbitrary external report URLs at runtime (download_report uses requests.get(row['url']) where url is research_report.url) and injects the extracted PDF text into the Gemini prompt flow (interpreters/research/_shared/llm.py), so remote content directly controls the model input.