The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands to activate a Python virtual environment and run scripts (e.g., views_runner.py) located in a sibling directory (../findata-toolkit-cn/). This is an intended part of the workflow for retrieving and analyzing market data.
[EXTERNAL_DOWNLOADS]: The documentation guides the agent to install Python dependencies from a local requirements file (pip install -r ../findata-toolkit-cn/requirements.txt). This involves fetching third-party packages from official registries during the setup phase.
[CREDENTIALS_UNSAFE]: The skill mentions the use of an environment variable XUEQIU_TOKEN to access authenticated data sources. No hardcoded secrets were found, but this confirms the skill's capability to handle sensitive authentication tokens.
[PROMPT_INJECTION]: The skill ingests untrusted market data from external financial providers such as AKShare and East Money (referenced in references/data-queries.md and references/methodology.md). As the skill lacks explicit boundary markers or sanitization logic for these inputs while maintaining code execution capabilities (python scripts), it presents a surface for indirect prompt injection.

etf-allocator