China Stock Data
WarnAudited by ClawScan on May 15, 2026.
Overview
This is mostly a stock-data tool, but review it before use because some credential handling is unclear and one “real-time” briefing output appears to use hardcoded market data.
Use this skill only for data lookup, not trading decisions. Before entering any iFinD, Tushare, JQData, RiceQuant, or Wencai credentials, verify exactly which file stores the token and which API endpoint receives it. Treat the image briefing as unreliable unless it is changed to fetch live data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A paid or private Tushare token could be sent to an unverified, non-HTTPS endpoint, exposing the token or account quota.
This tells the agent to use a Tushare Pro token with a custom HTTP endpoint, rather than clearly documenting use of the standard provider endpoint.
client.DataApi._DataApi__http_url = "http://tushare.xyz"
pro = ts.pro_api('token')Do not provide a Tushare token unless the endpoint is verified. Prefer the official Tushare HTTPS endpoint and require the skill to document exactly where tokens are sent.
The skill may reuse or modify an existing token from another local skill or folder without the user realizing this skill is accessing it.
The code reads and refresh-writes an iFinD token file in a sibling 'tonghuashun' directory, while SKILL.md describes placing ifind_config.json with this skill.
CFG = os.path.join(os.path.dirname(DIR), 'tonghuashun', 'ifind_config.json') ... with open(CFG,"w") as f: json.dump(IF,f,ensure_ascii=False,indent=2)
Keep provider tokens in a clearly documented, skill-local config path, or require explicit user confirmation before reading or modifying shared credential files.
A user could mistake sample or stale market numbers for live financial data.
The file claims to generate a real-time market briefing from the stock-data skill, but the implementation states that the briefing data is hardcoded.
从 china-stock-data 获取实时数据 ... def generate(...): """生成早报图片,数据硬编码(保持轻量,不依赖子进程调用)"""
Label this output as a demo/static template, or change it to fetch live data before displaying prices, headlines, or index values.
Following these instructions could violate data-source terms or damage the user’s network reputation.
The reference documentation includes rate-limit avoidance techniques. The scanned code mainly implements throttling, but these instructions could lead an agent or user to bypass provider controls.
限流规避策略 ... 轮换 User-Agent ... 使用代理池多 IP 轮换
Prefer official APIs, caching, and slower request rates; avoid proxy rotation or User-Agent manipulation unless the provider explicitly permits it.
Installing later dependency versions may introduce bugs or unexpected behavior even if the skill code itself is unchanged.
The setup uses lower-bound dependency ranges without a lockfile or hashes, so future package versions could change behavior.
requests>=2.28.0 ... pytdx>=1.74 ... akshare>=1.14.0
Install in a virtual environment and prefer pinned, reviewed dependency versions for repeatable use.