tushare

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Tushare financial-data helper; its main risks are normal API-token handling and unpinned Python dependencies.

Before installing, treat your Tushare token like an account credential, prefer TUSHARE_TOKEN or a secret manager over hardcoding it, and consider pinning dependency versions in production or shared environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The README demonstrates setting an API token directly in code using a string literal placeholder, but does not warn users against hardcoding real credentials or committing them to source control. In an agent/skill context, documentation examples are often copied verbatim, which increases the chance that users will embed sensitive tokens in scripts, notebooks, or shared repos and accidentally expose them.

Unpinned Dependencies

Low

Category: Supply Chain
Content: tushare>=1.3.0 pandas>=1.5.0
Confidence: 92% confidence
Finding: tushare>=1.3.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: tushare>=1.3.0 pandas>=1.5.0
Confidence: 95% confidence
Finding: pandas>=1.5.0

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal