Trading Assistant Clean V2

Before installing or running this skill, review the following: - Inspect live_trading_interface.py and config.py for any code that connects to broker APIs or performs order/POST operations. The presence of a 'live trading interface' contradicts the SKILL.md claim of no trade execution. - Search the codebase for network calls (requests.post / urllib.request.urlopen) and examine target domains. a_stock_data.py calls Sina Finance endpoints (hq.sinajs.cn and money.finance.sina.com.cn) even though SKILL.md claims only Twelve Data and Alpha Vantage. - Open .env.example and any config loading logic to confirm the skill truly does not auto-load .env files. README/Docker examples mount a .env into the container — if you use those instructions, ensure you only include keys you intend to expose. - Audit notification modules (Feishu/DingTalk/Email) for undeclared env vars or webhook URLs. If you do not need notifications, remove or disable those modules. - Run the tool in an isolated environment (container or VM) first, with minimal secrets set, and monitor outbound connections to ensure it only calls expected APIs. - If you plan to provide broker credentials or enable 'live' features, only do so after manual code review and confirming explicit, declared env variables and secure handling of those credentials. Given the mismatches between the advertised safety model and the repository contents, treat this skill as potentially risky until you confirm there is no hidden execution or undeclared credential usage.