股票全面分析

Key issues to consider before installing or running this skill: - Hard-coded API key: Multiple source files include a plain-text Finnhub API key. This is undocumented in the manifest and could be someone else's key. Do NOT assume it's safe or private — ask the author to remove it and require users to provide their own FINNHUB_API_KEY via environment variables. - Undeclared environment variables: Some scripts read FINNHUB_API_KEY and test_longbridge.py reads LONGBRIDGE_ACCESS_TOKEN. The skill's requires.env lists none. Confirm which API tokens you must supply and prefer env vars over embedded keys. - Network calls to third parties: The code queries endpoints beyond well-known providers (e.g., ai.6551.io for news). Verify these endpoints' trustworthiness and privacy policy before running as they will see your requests and any tokens you supply. - Runnable test/debug scripts: Several debug/test files (company_info.py, test_*.py, debug_*.py) perform network I/O on import/run and print data. Only run the specific main script you trust (e.g., analyze_stock.py) and review other scripts first. - Secret hygiene & provenance: Ask the author for provenance of the included API key and for an explanation why it was embedded. If you must run the skill, do so in a sandboxed environment and rotate any keys you use. Prefer to set FINNHUB_API_KEY in your environment rather than relying on the package's hard-coded token. - Minimal steps to reduce risk: (1) Inspect and remove/replace hard-coded keys in the code; (2) run only the intended script(s) in a network‑restricted sandbox until you confirm endpoints; (3) request the author to document required env vars and endpoints in SKILL.md; (4) verify third-party endpoints (ai.6551.io, qt.gtimg.cn, futunn.com, finnhub.io, eastmoney) are acceptable for your data/usage policy. If you want, I can point to the exact files/lines that contain the hard-coded key and list all external URLs the package contacts so you can review them more easily.