zettaranc-perspective

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user for a Tushare token and then embed that token verbatim into commands and function calls (e.g., python -c "test_jnb_connection('用户给的token')" and write_env_file(token='xxx')), which requires the LLM to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and ingests open/public third‑party content (e.g., via Tushare API and "websearch", plus scripts like scripts/batch_download_bilibili.py and README/CHANGELOG references to downloading Bilibili/YouTube transcripts) and mandates using those fetched indicators/transcripts as inputs for the LLM ("Step 2: 必须使用工具获取真实信息" and Python data→LLM review flows), so untrusted, user‑generated web content is read and can materially influence the agent's decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill, when run in JNB mode, calls external Tushare API endpoints (e.g., https://tushare.pro/ — and the configurable proxy TUSHARE_API_URL such as http://tsy.xiaodefa.cn) to fetch market/K‑line/indicator data at runtime which is then injected into the LLM prompt context and is required for the skill’s functionality, so this external URL dependency directly controls the agent's prompts.