对上市公司进行系统性投资价值分析，支持 A 股、港股、美股

The skill bundle implements a high-risk feature by starting a background HTTP server on port 8888 using 'python3 -m http.server' in 'generate-pdf-report.sh' to serve generated reports. While this aligns with the stated purpose of providing downloadable reports, it opens an unauthenticated network port within the environment. Additionally, multiple scripts (e.g., 'analyze.sh', 'generate-pdf-report.sh', and 'fetch-research.sh') are highly vulnerable to shell command injection because they use unsanitized user inputs like stock codes and company names directly in shell commands and curl arguments. There is no evidence of intentional data exfiltration, but the combination of network exposure and critical injection vulnerabilities warrants a suspicious classification.