ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tushare A股数据

v1.0.0

提供23个明确股票接口的Tushare Pro数据查询,包括行情、基础信息、复权因子,支持指定股票代码和日期范围调用。

0· 62·0 current·0 all-time
by@gaingush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and documentation implement a focused Tushare Pro client exposing 23 named APIs — this matches the skill name/description. However, the top-level registry summary in the package header claimed 'Required env vars: none' while metadata.json and SKILL.md clearly require TUSHARE_TOKEN. That's an incoherence in manifests rather than a functional mismatch.
Instruction Scope
SKILL.md and the handler only describe/accept explicit query parameters and the Tushare token; the runtime code only reads TUSHARE_TOKEN (or token passed in params) and does not access unrelated files, other environment secrets, or unexpected network endpoints. Calls go through the tushare library to Tushare's API as expected.
Install Mechanism
There is no platform install spec (lowest risk), but the package includes requirements.txt (tushare, pandas) and metadata requires python3. The skill will need pip-installing those Python packages in the runtime environment; the lack of an explicit install block in the registry is an operational omission to be aware of, not a direct security problem.
Credentials
Only TUSHARE_TOKEN is required, which is appropriate for a Tushare Pro client. The inconsistency between the registry summary (which said no env vars) and metadata.json (which lists TUSHARE_TOKEN) is the main concern — confirm the platform will provide the token only to this skill and that you won't accidentally expose other secrets. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. It runs as a normal user-invocable skill and does not claim elevated persistence or cross-skill privileges.
What to consider before installing
This skill appears to be what it says: a constrained Tushare Pro client that requires your TUSHARE_TOKEN and the Python packages tushare and pandas. Before installing: 1) Confirm the platform metadata (registry view) actually exposes/protects the TUSHARE_TOKEN as declared in metadata.json; the top-level summary shown earlier incorrectly said 'no env vars' — treat that as a manifest inconsistency. 2) Ensure you are comfortable supplying your Tushare token (it grants access to your Tushare account and any paid data/quotas). 3) Make sure the runtime environment will install the listed Python dependencies (pip install tushare pandas) or preinstall them. 4) If you need to audit network access, note the code uses the official tushare client (no hardcoded external endpoints), so network calls will go to Tushare servers. If you want higher assurance, request the maintainer correct the manifest inconsistency and provide a reproducible install/test procedure.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fgn6tbhv16tha5n1f71dxjn84cngq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments