Tushare Cli

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward read-only Tushare finance data CLI that uses a disclosed API token and shows no hidden persistence, destructive behavior, or unrelated data handling.

Install only if you intend to query Tushare and are comfortable providing a TUSHARE_TOKEN for external API access. Keep the token private, expect Tushare quota or access limits to apply, and consider pinning or reviewing the tushare Python dependency before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The triggers include broad finance-related phrases such as '股票数据', '财务数据', and '财经新闻', which are common in normal conversation and may invoke the skill unexpectedly. Overbroad activation can route unrelated user requests into a token-using external-data skill, causing unintended tool execution, unnecessary external queries, or surprise access to sensitive environment-backed functionality.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The description presents the tool as a simple finance query utility but omits that it depends on a sensitive API token (`TUSHARE_TOKEN`). This weakens informed consent and can lead users or orchestrators to enable or invoke the skill without understanding that secret material is required and will be used for external API access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal