Tushare 期货数据

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tushare futures-data wrapper that needs a user-provided API token and has routine dependency hygiene risks.

Use a dedicated Tushare token and prefer providing it through TUSHARE_TOKEN or a secret manager instead of pasting it into prompts or request JSON. In controlled environments, pin dependency versions or use a lockfile before installing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documentation explicitly encourages passing the Tushare token in invocation parameters but does not warn that request parameters may be logged, stored in histories, or exposed to other components of the platform. In an agent/platform context, secrets supplied as normal inputs are more likely to leak through telemetry, debugging output, prompt traces, or shared transcripts, making credential compromise plausible.

Unpinned Dependencies

Low

Category: Supply Chain
Content: tushare>=1.2.89 pandas>=1.5.0
Confidence: 91% confidence
Finding: tushare>=1.2.89

Unpinned Dependencies

Low

Category: Supply Chain
Content: tushare>=1.2.89 pandas>=1.5.0
Confidence: 94% confidence
Finding: pandas>=1.5.0

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal