xueqiu-summary
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill performs legitimate web scraping and data aggregation as described in its documentation. No malicious patterns such as credential theft, hidden backdoors, or privilege escalation were detected.
- [EXTERNAL_DOWNLOADS]: During the installation process, the skill downloads standard browser automation tools (Playwright and Chromium) and NPM packages from official, well-known registries. These are documented as necessary dependencies for the scraping functionality.
- [COMMAND_EXECUTION]: The skill invokes Node.js and curl to interact with financial APIs. These operations are limited to the scope of fetching market data and user posts from the Xueqiu platform.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill accesses local configuration files (
watchlist.jsonandportfolio.json) to identify which users and stocks to monitor. It handles the sensitive authentication token (XQ_A_TOKEN) via environment variables rather than hardcoding it, which is a security best practice.
Audit Metadata