Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stock Data Export
v1.0.0Exports A-share stock and index daily, weekly, or monthly data from Tushare API to Excel, CSV, or JSON for quantitative analysis and backtesting.
⭐ 0· 79·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (exporting A‑share daily/weekly/monthly data from Tushare to CSV/Excel/JSON) is coherent. However, _meta.json lists a runtime requirement of 'tushare' (Python package) while the registry metadata claims no required env vars or binaries. SKILL.md explicitly says a Tushare API token is required. These mismatches indicate the manifest does not fully reflect what the skill needs to operate.
Instruction Scope
SKILL.md contains only user-facing command examples and a note that a Tushare token must be configured. It does not instruct the agent to read arbitrary system files, access unrelated cloud credentials, or contact unknown endpoints. The scope of instructions stays within the described purpose (fetching market data and exporting it).
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written by the platform installer. That lowers installation risk, but it also means the SKILL.md must accurately describe runtime dependencies (which it does not fully do).
Credentials
SKILL.md requires a Tushare API token, and _meta.json lists 'tushare' as a requirement, but the registry metadata declares no required environment variables and no primary credential. This omission is inconsistent and could mislead users about what secrets they'd need to provide. There's no justification for any additional credentials, but the manifest should declare at least the Tushare token requirement and how it should be supplied.
Persistence & Privilege
The skill does not request elevated persistence: always is false and there is no install script or config-writing behavior in the package. Autonomous model invocation is allowed (platform default) but not combined with other high-risk signals.
What to consider before installing
This skill appears to do what it says (export data from Tushare), but the package metadata is inconsistent: SKILL.md requires a Tushare API token and _meta.json mentions the 'tushare' dependency, yet the registry entry lists no required env vars or install steps. Before installing or providing credentials: 1) Ask the publisher for the source code or a homepage so you can inspect how the token is used and where network requests go. 2) Confirm the exact environment variable or config key name the skill expects (e.g., TUSHARE_TOKEN) and whether the token is transmitted only to the official Tushare API. 3) If you must provide a token, use a token with minimal scope and run the skill in an isolated environment (sandbox/container). 4) Verify payment/ownership details (the package is marked paid but has no homepage). 5) If you need stronger assurance, request a version that includes an explicit install spec and the small script code so you (or someone you trust) can review it; absence of code now reduces install risk but also prevents verification.Like a lobster shell, security has layers — review code before you run it.
latestvk97c6v1v4weckstkjtfhgsvbhs83smbd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.