The Agent Skills Directory

[COMMAND_EXECUTION]: Potential script injection risk in SKILL.md. The bash workflow instructions use shell variable interpolation (e.g., ${ORDER_BOOK_ID}) directly into Python heredoc blocks (`python3
<<PY ... PY`). If these variables are populated with untrusted user input, it allows for arbitrary Python code execution within the agent's environment.
[COMMAND_EXECUTION]: The generate_report.py script uses subprocess.run to call an external HTML renderer (rq-report-renderer). While it uses shutil.which to find the binary, it executes commands based on user-supplied output paths, which could be exploited if inputs are not strictly validated.
[EXTERNAL_DOWNLOADS]: The extract_announcements.py script fetches PDF files from the Shanghai Stock Exchange (static.sse.com.cn). It includes specialized logic to solve anti-bot challenges for this legitimate financial source, which is functional rather than malicious.
[PROMPT_INJECTION]: Indirect prompt injection surface detected. 1. Ingestion points: External web search results (web_search_findings.json) and PDF text extracted from announcements. 2. Boundary markers: No explicit delimiters or boundary markers are used in the report templates to isolate processed external text. 3. Capability inventory: Use of subprocess.run in the reporting pipeline. 4. Sanitization: The generate_report.py script performs basic character normalization and truncation via normalize_text and compact_text functions.
[SAFE]: The obfuscation detection for the large hex-encoded blob in extract_announcements.py is a false positive. The data is a static index list used by a cookie-calculation algorithm to bypass anti-bot mechanisms on the official Shanghai Stock Exchange website.

rq-earnings-analysis