The Agent Skills Directory

[SAFE]: No malicious patterns or direct security threats were identified in the skill instructions or supporting files.
[COMMAND_EXECUTION]: The skill requires the execution of local Python scripts and environment management tools (../findata-toolkit-cn/scripts/views_runner.py). These are documented as vendor-provided components for data retrieval.
[CREDENTIALS_UNSAFE]: The skill identifies the requirement for an API token (XUEQIU_TOKEN) but correctly instructs the user to configure it as an environment variable rather than hardcoding it, which is the recommended secure practice.
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it processes data from external financial sources. \n- Ingestion points: Financial and market data retrieved via the views_runner.py tool (documented in references/data-queries.md). \n- Boundary markers: Absent; there are no explicit delimiters or instructions to ignore commands embedded within the fetched data. \n- Capability inventory: The skill's capabilities are limited to data analysis and structured report generation (output-template.md); no high-risk capabilities such as arbitrary code execution, file system writes, or network exfiltration are exposed to the processed data. \n- Sanitization: Absent; the skill passes raw external data into the analysis framework without filtering.

tech-hype-vs-fundamentals