stock-analysis-lianghua

The `analyze_stock.py` script contains a path traversal vulnerability in its caching mechanism. The `_find_cached_file` and `_save_cache` functions use the user-provided `symbol` directly in `os.path.join` to construct file paths. This allows an attacker to potentially read or write files to arbitrary locations on the system by injecting path traversal sequences (e.g., `../`) into the stock symbol. Additionally, the `SKILL.md` describes a LangGraph agent architecture where user input (`ticker`) is directly embedded into the LLM's system prompt, posing a prompt injection risk to the agent itself.