Earnings Review Agent

Name/description say it uses 东方财富 (EastMoney) data; the code calls EastMoney ai-saas endpoints (ENTITY_API, REPORT_LIST_API, PERFORMANCE_COMMENT_API) and requires a single EM_API_KEY for auth — this is appropriate and proportional to the stated purpose.

The SKILL.md and scripts clearly define entity recognition → report selection → call review API flow and instruct the agent to save attachments and optional JSON debug logs. That stays within the stated scope. Note: the scripts write returned attachments and logs to the local filesystem (default miaoxiang/stock-earnings-review/<run_id>/...). Also, save_attachment_payload does not sanitize filenames (it writes out Path(output_dir)/filename), so if the remote API ever returned a crafted filename with path traversal characters it could cause files to be written outside the intended directory; in the current codepaths the filenames used in call_review_api are fixed (e.g., 'review.pdf'), but the lack of filename sanitization is a minor implementation risk to be aware of.

This is instruction-only with a single declared Python dependency (httpx). No arbitrary downloads, package installs from untrusted URLs, or extract operations are present — low install risk.

Only EM_API_KEY is required (plus optional output-dir env vars) which matches the need to authenticate to EastMoney. No unrelated secrets or multiple credentials are requested.

always:false and no unusual persistence or cross-skill configuration changes. The skill writes per-run files into a project-scoped directory (configurable via env), which is expected for this functionality.