Buffett Analysis

What to check before installing or running this skill: - Integration dependencies: The scripts call an mcporter toolset (fintool-*) and a separate us-market script (relative path ../../us-market/...). Verify those services/scripts exist in your environment and that you understand what credentials they use. The skill does not declare these dependencies or any env vars. - File writes: The instructions require appending reports to alpha-factor-lab/fundamental-reports.json. Confirm you want the skill to modify that file and that it won't overwrite or leak other data. The path is not declared as a required config in the manifest. - Code-level injection risk: The Python scripts build shell commands and call subprocess.run(..., shell=True) with user-provided keywords. If untrusted input reaches those functions, shell injection is possible. Review the scripts and ensure inputs are sanitized or the code is changed to avoid shell=True. - Temporary files and predictable paths: The scripts read/write predictable /tmp files (e.g., /tmp/buffett_analysis_{code}.json). Verify the runtime environment's /tmp policy and consider running in an isolated environment to avoid TOCTOU or sensitive-file mixing. - Review network/data exfil patterns: The skill performs web_search/web_fetch and calls platform connectors — ensure that collected data is acceptable to transmit and that external endpoints are trusted. - Operational recommendation: Only run this skill in a controlled environment, review and/or harden the scripts (avoid shell=True, properly escape inputs, declare required config paths and credentials), and confirm you consent to the skill modifying alpha-factor-lab/fundamental-reports.json. If you need higher assurance, request the author add explicit manifest entries for dependencies and config paths and fix subprocess usage.