The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to activate a virtual environment and execute Python scripts (views_runner.py) from a relative directory (../findata-toolkit-cn/) outside the skill's own package. This pattern of executing external local code can be used to run arbitrary logic if the toolkit directory is compromised.
[EXTERNAL_DOWNLOADS]: The references/data-queries.md file contains instructions to install Python dependencies using a relative requirements file (../findata-toolkit-cn/requirements.txt), which allows the skill to pull and install external packages at runtime.
[PROMPT_INJECTION]: The skill processes untrusted market data, specifically 'reasons for limit up' (涨停原因) fetched from financial data providers like AKShare. This creates a surface for indirect prompt injection if the source data contains instructions masquerading as financial news.
[PROMPT_INJECTION]: Evidence Chain for Indirect Injection: 1. Ingestion points: references/methodology.md (fetches stock_zt_pool_em including text descriptions); 2. Boundary markers: Absent in the methodology or output templates; 3. Capability inventory: Ability to execute shell commands and Python scripts as defined in references/data-queries.md; 4. Sanitization: No explicit validation or filtering of the market data text is documented.

limit-up-limit-down-risk-checker