TuShare Stock Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Tushare stock-data helper whose token, network use, and local cache fit its stated A-share research purpose.

Install in a virtual environment, provide only the Tushare token you intend this skill to use, and set TUSHARE_STOCK_ENV_FILE only to a small file containing that token. For production or automated trading workflows, pin dependencies and treat the realtime crawler endpoints as unverified external-source data with possible compliance and reliability limits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Context-Inappropriate Capability

Medium

Confidence: 68% confidence
Finding: The catalog includes crawler-based realtime endpoints explicitly described as scraping third-party network sources and being outside normal Tushare server guarantees. In an agent skill, surfacing such endpoints can bypass expected trust, provenance, compliance, and stability assumptions, creating risk of brittle behavior, terms-of-service violations, or consumption of unverified external data.

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas tushare requests beautifulsoup4
Confidence: 95% confidence
Finding: pandas

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas tushare requests beautifulsoup4
Confidence: 94% confidence
Finding: tushare

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas tushare requests beautifulsoup4
Confidence: 97% confidence
Finding: requests

Unpinned Dependencies

Low

Category: Supply Chain
Content: pandas tushare requests beautifulsoup4
Confidence: 92% confidence
Finding: beautifulsoup4

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 89% confidence
Finding: requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal