findata-toolkit-us

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's runtime scripts clearly fetch and parse public third‑party data (e.g., scripts/sec_edgar.py pulls filings and Form 4 XML from data.sec.gov/www.sec.gov, scripts/stock_data.py and scripts/factor_screener.py ingest company info and longBusinessSummary via yfinance from Yahoo Finance, and scripts/macro_data.py reads FRED series), and that untrusted public content is parsed and used to compute scores and drive analysis outputs — meaning external content can materially influence decisions and tool behavior.