Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (financial analysis, valuation, risk) match the included Python scripts and declared Python dependencies (tushare, pandas, numpy). The code implements analysis, valuation, and risk functions and uses the Tushare API for data — this is expected for the stated purpose.
Instruction Scope
SKILL.md instructs the agent/user to run the provided Python scripts and to (optionally) set TUSHARE_TOKEN. The runtime instructions do not ask to read unrelated files, scan the host, or exfiltrate data; they do make outbound API calls to Tushare (expected for fetching market/financial data).
Install Mechanism
There is no formal install spec (instruction-only), but SKILL.md/README ask you to pip install tushare/pandas/numpy. That is expected for a Python CLI. Minor oddity: package.json exists and lists Python packages under 'dependencies' (a Node-style manifest used as metadata) — unusual but not harmful. No downloads from arbitrary URLs or archive extraction were found.
Credentials
The code reads a single environment variable TUSHARE_TOKEN (used to obtain a pro API client). That credential is proportional to the task. However, the registry metadata lists no required env vars while SKILL.md and the scripts reference TUSHARE_TOKEN (optional) — a documentation/metadata mismatch to be aware of.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges, always:false, and it does not modify other skills or global agent configuration. Autonomous invocation is allowed by default (normal) but not combined with other red flags.
Assessment
This skill appears to be a straightforward Python CLI for financial analysis that fetches data from the Tushare API. Before installing: 1) Understand it will make network requests to Tushare (if you set TUSHARE_TOKEN or use its API). 2) If you plan to provide a TUSHARE_TOKEN, treat it like any API secret — only use a token with the minimum needed privileges and avoid using high-privilege or production tokens in untrusted environments. 3) Install dependencies in an isolated Python environment (venv/conda) to limit risk. 4) Note the minor metadata issues: the registry metadata omits the optional TUSHARE_TOKEN and package.json is present but used as metadata (not a Python packaging file). 5) If you need stronger assurance, inspect the repository yourself or run the scripts in a sandbox before giving any credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97bdwsfxh22x5x5ytwgt6jqqd83skg2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.