Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tushare Finance Jarvis
v2.0.7获取中国金融市场数据(A股、港股、美股、基金、期货、债券)。支持220+个Tushare Pro接口:股票行情、财务报表、宏观经济指标。当用户请求股价数据、财务分析、指数行情、GDP/CPI等宏观数据时使用。
⭐ 0· 94·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, README, SKILL.md and the included reference docs and scripts match the stated purpose of querying Tushare Pro APIs for market and macro data. However metadata.json (in the package) declares Python and an env var (TUSHARE_TOKEN) as required whereas the top-level registry summary showed no required env/binaries; this mismatch is an incoherence in the package metadata (the Tushare token is legitimate for the stated purpose).
Instruction Scope
SKILL.md limits actions to using the Tushare Python SDK, asking the user to provide a TUSHARE_TOKEN, verifying Python imports, installing tushare/pandas if missing, and calling pro_api() endpoints. It does not instruct reading arbitrary host files or exfiltrating unrelated data; allowed-tools include Bash/python which is reasonable for a Python-based client.
Install Mechanism
There is no automated download-from-URL or opaque installer in the install spec — this is instruction-only with included code files. The README suggests pip installs and optional 'clawhub install' but no high-risk remote artifact fetch is embedded in the skill itself.
Credentials
Functionality legitimately requires a Tushare API token (TUSHARE_TOKEN) and possibly optional env vars like TUSHARE_CACHE_DIR or TUSHARE_LOG_LEVEL. But the registry summary provided to you lists 'Required env vars: none' while metadata.json inside the package lists TUSHARE_TOKEN and bins: [python3]. This mismatch in declared required credentials is an incoherence; the token is expected for the purpose, but the registry omission may mislead users about needed secrets.
Persistence & Privilege
Skill is not 'always:true' and does not request persistent elevated privileges. It appears to be user-invocable and to operate within its own scope (no evidence it modifies other skills or system-wide settings).
What to consider before installing
This skill implements a Tushare Pro client and will need your TUSHARE_TOKEN (and Python + pip to install tushare/pandas if missing). Before installing: 1) Verify you trust the skill source (README points to a GitHub repo — review it). 2) Expect to provide only your Tushare token; do not paste broader secrets. 3) Inspect scripts/api_client.py for any unexpected network endpoints or hard-coded telemetry before running. 4) Because the package metadata inside the archive declares TUSHARE_TOKEN/python3 but the registry summary omitted them, treat the omission as a packaging error — assume the token is required and store it securely (e.g., in an environment variable, not in chat). 5) If you need extra caution, run the skill in an isolated environment/VM or container and monitor outbound network connections.Like a lobster shell, security has layers — review code before you run it.
latestvk9702rfmm535jzpzbhfnz8hev5844c16
License
MIT-0
Free to use, modify, and redistribute. No attribution required.