[EXTERNAL_DOWNLOADS]: The skill fetches financial data from whitelisted domains market.ft.tech and ftai.chat. This whitelist is centrally managed in scripts/common.py and enforced by a custom URL opener that validates the netloc of every request.
[COMMAND_EXECUTION]: The skill uses the Bash tool to run local Python scripts. It employs a dispatcher script (run.py) that uses runpy.run_path to execute sub-commands. This dispatcher includes a security check that validates requested scripts against a whitelist of files found in the scripts/ directory, preventing the execution of arbitrary files.
[DATA_EXPOSURE]: The skill provides functionality to download PDF, XML, and Excel files from remote servers. To prevent path traversal attacks, the download scripts (download_announcement.py, download_etf_pcf.py, etc.) utilize a _safe_output_path function that uses os.path.commonpath to ensure all files are saved within the intended local directory structure.

ftshare-all-in-one