daily_stock_analysis

Web UI authentication is disabled by default — ADMIN_AUTH_ENABLED must be explicitly set to true in .env to protect the settings panel, which contains all configured API keys (LLM providers, Telegram tokens, email credentials, financial data API keys); without this, anyone able to reach port 8000 can read and modify all secrets (source: https://github.com/ZhuLinsen/daily_stock_analysis README).

No SECURITY.md has been set up — the GitHub security page explicitly states 'This project has not set up a SECURITY.md file yet', meaning there is no private reporting path, no acknowledgement SLA, and no documented vulnerability handling process (source: https://github.com/ZhuLinsen/daily_stock_analysis/security).

The operator is identified only by the GitHub handle 'ZhuLinsen' (display name 'mumu') with a personal Gmail contact (zhuls345@gmail.com); no real name, legal entity, LinkedIn profile, or professional identity has been found — there is no formal accountability or recourse mechanism (source: https://github.com/ZhuLinsen; https://github.com/ZhuLinsen/daily_stock_analysis).

Financial analysis outputs — including precise buy/sell price points and strategy recommendations — are generated by third-party LLMs and routed to 8 messaging platforms; both the Chinese and English READMEs explicitly disclaim investment advice, but the tool’s 'decision dashboard' format (buy/hold/sell signals with price targets) creates meaningful risk of misuse by users who treat AI outputs as financial guidance (source: https://github.com/ZhuLinsen/daily_stock_analysis/blob/main/docs/README_EN.md).

LiteLLM is a core dependency, and the March 2026 PyPI supply chain attack on litellm versions 1.82.7 and 1.82.8 (documented in the nanobot review) applies equally here; pinning LiteLLM to a verified safe version is required before use (source: https://github.com/ZhuLinsen/daily_stock_analysis requirements.txt; cross-reference https://github.com/HKUDS/nanobot/discussions/2445).