Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
tushare-finance
v2.0.6获取中国金融市场数据(A股、港股、美股、基金、期货、债券)。支持220+个Tushare Pro接口:股票行情、财务报表、宏观经济指标。当用户请求股价数据、财务分析、指数行情、GDP/CPI等宏观数据时使用。
⭐ 41· 18k·194 current·202 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, README, SKILL.md, reference docs and the included Python client (scripts/api_client.py) all consistently describe a Tushare Pro data client — requiring a TUSHARE_TOKEN and Python packages. However the top-level registry summary reported 'Required env vars: none' while metadata.json and SKILL.md explicitly reference TUSHARE_TOKEN and python3; this mismatch is unexplained and should be clarified.
Instruction Scope
SKILL.md instructs the agent to ask the user for a Tushare token, verify Python and required packages, and call Tushare APIs. The runtime instructions do not ask the agent to read unrelated system files, other credentials, or to post data to unexpected endpoints. The guidance to add the token to ~/.bashrc is standard but is a user-side persistence choice (see guidance).
Install Mechanism
There is no formal install spec in the registry (instruction-only), which is lower risk, but the package includes many files and a Python client. That combination means installing/using the skill will require running pip and executing local Python code manually — the skill will not automatically install dependencies. This is not malicious but is an operational/packaging inconsistency the user should notice.
Credentials
The skill legitimately needs a TUSHARE_TOKEN to call Tushare Pro and the code/docs expect Python and packages (tushare, pandas). Those are proportionate. However the registry's reported 'Required env vars: none' conflicts with metadata.json's openclaw.requires listing TUSHARE_TOKEN and python3. That discrepancy could lead to silent failure or misconfiguration and should be resolved before trusting the skill with credentials.
Persistence & Privilege
always is false and the skill is user-invocable. There is no evidence the skill requests permanent platform-wide privileges or modifies other skills' configs. Instruction to add the token to shell rc files is a user action, not an automatic privilege escalation by the skill.
What to consider before installing
This skill appears to be a Tushare Pro client (220+ endpoints) and needs a TUSHARE_TOKEN and a Python environment. Before installing:
- Confirm which definition is authoritative: the registry view reported no env vars but metadata.json and SKILL.md require TUSHARE_TOKEN and python3 — resolve this mismatch.
- Inspect scripts/api_client.py (and any other scripts) to ensure network calls are limited to the Tushare API (no hidden external endpoints or telemetry). If you are not comfortable reading code, run it in an isolated environment (VM/container) first.
- Prefer passing TUSHARE_TOKEN at runtime rather than permanently writing it to ~/.bashrc if the token is sensitive. Consider using a dedicated, limited-permission account/token.
- Since there's no automated install spec, be prepared to pip install the declared packages (tushare, pandas, openpyxl). Check package versions and consider using a virtualenv.
- Verify the referenced GitHub repository (README points to one) to confirm the source and check for recent changes or issues.
If these checks are acceptable and you verify the client only talks to tushare.pro (no other endpoints), the skill is consistent with its purpose. If you cannot validate the code or the registry/metadata mismatch remains unresolved, avoid installing or provide only a low-privilege token in a sandboxed environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97574ht5t3bxg7a1vtdjc6z49815494
License
MIT-0
Free to use, modify, and redistribute. No attribution required.