ETF投资助理

The skill bundle is classified as suspicious due to a command injection vulnerability in the `etf-assistant.sh` script. Specifically, in the `cmd_price` and `cmd_compare` functions, user-provided ETF codes (`$code`, `$code1`, `$code2`) are directly interpolated into double-quoted strings within `$(...)` subshells. This allows an attacker to inject shell metacharacters (e.g., `;`, `&&`) to execute arbitrary commands on the agent's system, such as `etf-assistant price "510300; rm -rf /"`. While the skill's stated purpose is benign and the `SKILL.md` does not contain prompt injection, this vulnerability represents a high-risk capability that could be exploited for unauthorized actions.