financial-data

Functionally, the module is a legitimate financial-data ETL and risk-calculation helper with appropriate validation and deduplication building blocks. I found no explicit malicious code or obfuscation in the examples. The primary security risk is operational: the documentation recommends routing API requests (potentially containing tokens and financial data) through third-party/public CORS proxies and lacks guidance on least-privilege OAuth scopes, secret management, token rotation, and log redaction. Hardcoded exchange rates are an integrity issue for financial calculations. Recommended mitigations: avoid public proxies (use server-side proxying or proper CORS configuration), restrict OAuth scopes, store and rotate secrets securely, redact sensitive fields from logs, fetch authoritative FX rates from trusted services, and add confirmation/dry-run modes for bulk upserts.