investment-advisor

The skill is classified as suspicious due to URL injection vulnerabilities in `scripts/fundamental.mjs` and `scripts/technical.mjs`. User-controlled stock symbols are directly embedded into API request URLs for `eastmoney.com` without robust sanitization. Specifically, `scripts/fundamental.mjs`'s `fetchNews` function embeds the symbol into a URL-encoded JSON parameter, which could allow an attacker to manipulate API calls to the external data source. However, there is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, persistence mechanisms, or explicit prompt injection instructions for the agent to deviate from its stated purpose.