Tushare 期货数据
v1.0.0提供明确支持的14个Tushare期货接口,涵盖期货合约信息、各类行情数据、仓单持仓及指数等全面期货数据查询服务。
⭐ 0· 113·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, README, requirements.txt and __init__.py all consistently implement a narrow Tushare Pro futures-data wrapper exposing 14 listed APIs. The declared Python dependencies (tushare, pandas) are appropriate for this purpose.
Instruction Scope
SKILL.md and handler logic keep scope to calling Tushare APIs and returning JSON. The runtime instructions only require a Tushare token (param or env) and do not instruct reading unrelated files or exfiltrating data. Minor implementation issues exist (see guidance) but they are bugs, not evidence of malicious scope creep.
Install Mechanism
No install script or remote download is present; the package is instruction+Python code with a standard requirements.txt. This is low-risk compared with arbitrary remote installers.
Credentials
The skill only needs a Tushare API token (TUSHARE_TOKEN) which is proportionate to contacting Tushare Pro. However, there is an inconsistency: the skill bundle's top-level registry metadata reported 'Required env vars: none' while metadata.json and the SKILL.md state TUSHARE_TOKEN is required. This mismatch should be resolved before trust/automation is granted.
Persistence & Privilege
always:false and no special system-level privileges requested. The skill does not attempt to modify other skills or system configs and does not require permanent platform-wide presence.
Assessment
This skill appears to be a straightforward Tushare Pro wrapper for futures data and only needs your TUSHARE_TOKEN. Before installing: 1) Provide a dedicated Tushare token with the minimal permissions you need (avoid sharing broader account credentials). The skill will send that token to Tushare Pro when calling APIs. 2) Note the metadata inconsistency: some registry metadata omitted the required env var while metadata.json and docs require TUSHARE_TOKEN — confirm the platform will protect that env var. 3) The code has a couple of minor bugs (e.g., trade_cal is routed through pro.query but the implementation may not pass the 'api_name' correctly; import failures of tushare are caught but will surface unclear error messages). These are functionality/usability issues, not indicators of data exfiltration. 4) Ensure tushare and pandas are installed in the runtime environment; test calls with a token that has restricted permissions first. 5) If you plan to allow the agent to invoke skills autonomously, be aware the skill can make arbitrary API calls to Tushare using your token — restrict token scope and monitor usage.Like a lobster shell, security has layers — review code before you run it.
latestvk973jr23q87ysfw9s9dr3kbedd84d8s0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.