financial_research

The provided SKILL.md file is a declarative definition of a skill, not an executable script. It specifies metadata such as name, description, version, and a list of allowed_tools. No direct malicious patterns were found within the skill's definition.

1. Prompt Injection: No patterns indicative of prompt injection (e.g., 'IMPORTANT: Ignore', 'jailbreak') were found in the skill's description or workflow.
2. Data Exfiltration: The skill does not contain any explicit commands for data exfiltration. While it mentions using financial_data and web_search tools, and create_document, the skill's definition itself does not instruct these tools to exfiltrate sensitive data. The security of these underlying tools would need separate verification.
3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in the markdown content.
4. Unverifiable Dependencies: The skill mentions 'OpenBB' and 'AkShare' as data sources, which are external. However, the skill itself does not contain instructions to install or fetch these dependencies directly; it relies on a pre-existing financial_data tool. Therefore, this is not a direct 'unverifiable dependency' finding for the skill's definition.
5. Privilege Escalation: No commands or instructions for privilege escalation (e.g., sudo, chmod 777) were found.
6. Persistence Mechanisms: No patterns for establishing persistence (e.g., modifying .bashrc, crontab) were detected.
7. Metadata Poisoning: All metadata fields (name, description, author, tags, allowed_tools, etc.) were scanned, and no malicious instructions or hidden content were found.
8. Indirect Prompt Injection: The skill explicitly lists web_search and read_url among its allowed_tools and states its workflow involves using them to '获取新闻与背景资料' (obtain news and background information). Any skill that processes content from arbitrary external websites is inherently susceptible to indirect prompt injection, where malicious instructions could be embedded in the web content it reads. This is an inherent risk of such functionality and not a direct vulnerability introduced by the skill's definition itself.
9. Time-Delayed / Conditional Attacks: No conditional logic based on time, usage, or environment was found.

Conclusion: The skill definition itself is clean and does not pose any direct security threats. The primary consideration is the inherent risk of indirect prompt injection when interacting with external web content, which is a general concern for any web-browsing capability.