A Share Daily Report

Summary of what to check before installing: - Metadata vs code mismatch: The package documentation expects MX_APIKEY, TUSHARE_TOKEN, and Feishu credentials, but the skill registry did not declare required env vars. Treat the skill as needing API keys and authenticate accordingly. - Secrets exposure: The skill reads .env and config files and also references other skills by absolute workspace paths. Run it only in an isolated environment (dedicated venv/project) that does not contain unrelated secrets, and inspect your .env before running. - Inspect publisher code: Review scripts/publisher.py to see exactly which external endpoints it calls and how Feishu tokens are used (token scope, whether tokens are stored or transmitted). Consider removing or disabling the --publish path until you verify it. - Absolute/hardcoded paths: The default config uses an absolute user path (/Users/yibiao/...). Update config/config.yaml and outdir to safe, project-local paths before running to avoid accidental writes to unexpected locations. - Dependency imports: The code attempts to import other local skills (tushare-skills, akshare-cn-market). Confirm those imports point to intended, trusted packages in your environment; if they point to shared/global skill directories you don't control, prefer to sandbox or vendor the exact dependencies. - Run tests and dry-run: Execute the provided tests in an isolated environment (CI or throwaway VM) and run verify_data_sources/verify_data_truth to see which endpoints are contacted and whether mock-mode works. If you trust the author and will provide the required API keys, run the skill in an isolated workspace and explicitly set only the minimal env vars needed (avoid putting unrelated secrets in the same .env). If you do not control or trust the environment the skill will run in, treat this package as high-risk and do not install it system-wide.