Xueqiu Combo Report

The skill's files and runtime instructions are coherent with its stated purpose (collecting Xueqiu combo holdings from a logged-in browser, merging/patching them, ranking stocks, and exporting reports) and do not request unrelated credentials or perform unexpected network installs.

This skill appears to do what it says, but consider these points before installing or running: (1) The upstream collection step requires the agent's browser tool to run inside an already-logged-in Xueqiu session — that will expose session cookies and page content to the tool; only allow this if you trust the environment and the skill. (2) Review any batch JSON inputs and patch JSON carefully before merging; patches overwrite combos by symbol. (3) The scripts generate HTML by interpolating fields from input data without sanitization — treat untrusted input cautiously (malicious HTML could be embedded). (4) PDF rendering calls a local Chrome/Chromium binary (the script uses --no-sandbox when invoking it), so ensure you run in a safe, isolated environment if you have security concerns. (5) There are no hidden network endpoints or required secrets, and you can inspect the included Python scripts directly; run them locally or in an isolated container if you want to limit exposure.