Tushare Daily Market Sense
PassAudited by ClawScan on May 11, 2026.
Overview
This skill appears aligned with generating A-share market reports, but it uses local Python scripts, external market-data APIs, a Tushare token, and generated files that users should understand before running.
Before installing, be comfortable with a local Python script making outbound calls to Tushare, AKShare, and JRJ; provide TUSHARE_TOKEN deliberately; run it in an isolated Python environment; and review the proxy-clearing behavior if you use a managed network. The observed behavior is purpose-aligned and no malicious exfiltration or destructive actions are evidenced.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill needs access to your Tushare account token to fetch market data.
The data pipeline reads a Tushare API token from the environment or a local .env file. This is expected for Tushare access, but it is credential use and the registry metadata declares no credential.
token = os.environ.get("TUSHARE_TOKEN", "").strip() ... env_path = os.path.join(os.getcwd(), ".env")Provide only a Tushare token intended for this use, avoid storing unrelated secrets in the working-directory .env file, and consider declaring this credential in the skill metadata.
Running the skill will create and remove local report-related files as part of the analysis workflow.
The workflow directs the agent to execute a local Python script and later delete specific generated evidence/context files. The deletion scope is limited to same-date report artifacts.
生成证据包:运行 `scripts/run_daily_panel.py` ... 删除同日期的临时证据与上下文文件,只保留最终报告。
Run it from the intended skill directory, review generated paths, and keep a copy of evidence files if you want to preserve them before cleanup.
If your network requires or audits outbound traffic through a proxy, these API calls may not use that proxy.
The runner removes proxy environment variables for its own execution before making data-provider calls. This is local and non-persistent, but it can bypass a user-configured proxy.
for key in ("HTTP_PROXY", "HTTPS_PROXY", "ALL_PROXY", "http_proxy", "https_proxy", "all_proxy"): cleaned.pop(key, None)Review this behavior before running in managed networks, and modify the runner if proxy use is required.
Users must supply dependencies from their own Python environment, which can affect reproducibility and package trust.
The skill depends on Python packages for data fetching and processing, but there is no install spec or pinned dependency list in the provided metadata.
import pandas as pd ... import tushare as ts ... import akshare as ak ... import requests
Install dependencies from trusted sources and prefer a pinned requirements file or isolated virtual environment.
Report context may be passed between agents or subagents depending on the host agent platform.
The skill uses subagent orchestration to process module JSON. The artifact gives explicit data boundaries, and the shared content appears to be generated market evidence rather than private user data.
主 agent 将 6 个模块 JSON 分发给 6 个 subagent 并行撰写 ... 每个 subagent 只看自己的模块数据
Use this workflow only on platforms where you are comfortable with subagent context sharing, and avoid adding private notes to the generated module JSON.