us-stock-researcher

The package is a legitimate automation for SEC-filing analysis, but it contains notable supply-chain and data-exfiltration risks stemming from overly-broad tool permissions (Bash with python3.11:*), automatic uploading of local files to an external Files API, and unpinned/unreviewed download scripts. Before running in environments containing sensitive data, apply mitigations: restrict or sandbox shell execution, implement file-path whitelists and per-upload confirmation, audit and pin download script sources/endpoints, and minimize environment secrets available to the agent. With these mitigations the tool is suitable for its intended research purpose; as-is it is medium risk.