analyze-stock

SUSPICIOUS. The skill’s purpose and visible capabilities mostly align with stock research/report generation, and it does not request credentials or route data through suspicious intermediaries. The main concern is install/execution trust: the unpinned `npx -y md-to-pdf` fallback executes remote npm code at runtime, and the referenced local `data_fetcher.py` cannot be reviewed here. This is better classified as medium supply-chain and prompt-injection risk than malicious behavior.