czsc-thinking
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The utility script 'scripts/example_workflow.py' utilizes 'os.system()' to run internal scripts, constructing the command strings with f-strings that directly include command-line arguments such as '--token' and '--ts_code'.
- [COMMAND_EXECUTION]: These arguments are not sanitized or validated, making the script vulnerable to command injection. Using shell metacharacters like ';' or '&' in the arguments would allow an attacker to execute unauthorized commands. For example, a stock code parameter like '000001.SZ; whoami' would execute the 'whoami' command on the host.
- [COMMAND_EXECUTION]: This represents a high-risk pattern if the skill is integrated into automated environments where parameters are derived from external, untrusted sources.
Audit Metadata