ClawHub
Back to skill
v1.0.9

Tushare Pro

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:17 AM.

Analysis

This appears to be a coherent read-only Tushare market-data skill, with the main things to notice being its API token requirement and unpinned Python dependencies.

GuidanceThis skill looks suitable for fetching Tushare market data, but install it only if you are comfortable providing a Tushare API token and installing the Python dependencies it requires. Protect the token like a password, and use the official Tushare site directly if you do not want to use the parameterized registration link.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
pip3 install tushare pandas --user

The setup installs unpinned Python packages. This is normal for a Python-based Tushare wrapper, but it relies on the current packages available from the package index.

User impactInstalling dependencies trusts the maintainers and the package index for tushare and pandas.
RecommendationInstall dependencies from a trusted environment, and consider pinning known-good package versions if reproducibility or supply-chain control matters.
Human-Agent Trust Exploitation
SeverityInfoConfidenceMediumStatusNote
SKILL.md
https://tushare.pro/weborder/#/login?reg=503098

The registration link includes an extra reg parameter rather than just the base Tushare site, which may indicate referral or registration tracking.

User impactUsing the provided signup link may associate registration with that parameter.
RecommendationIf you prefer not to use a parameterized signup link, navigate to the official Tushare homepage directly.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
export TUSHARE_TOKEN="your-api-token-here"

The skill asks the user to configure a Tushare API credential. This is expected for Tushare access, but the token can represent account/API privileges.

User impactAnyone with access to the configured token may be able to use the user's Tushare API quota or paid permissions.
RecommendationUse a token intended for this purpose, avoid sharing shell configuration files, and rotate the token if it is exposed.