ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tushare股票数据源

v1.0.1

提供基于股票代码从Tushare获取A股股票基础数据,支持自定义返回条数。

0· 306·0 current·0 all-time
by@ghjkkkkkklkk

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ghjkkkkkklkk/tushare-stock-data.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "tushare股票数据源" (ghjkkkkkklkk/tushare-stock-data) from ClawHub.
Skill page: https://clawhub.ai/ghjkkkkkklkk/tushare-stock-data
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tushare-stock-data

ClawHub CLI

Package manager switcher

npx clawhub@latest install tushare-stock-data
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (querying Tushare for A-share basic data) matches what the code does, but the manifest declares no required credentials while the code unconditionally sets a Tushare token. A properly designed skill would ask the user to provide their own TUSHARE token via an environment variable or configuration rather than embedding one.
!
Instruction Scope
SKILL.md describes inputs/outputs and does not mention authentication or a token, yet main.py sets and uses a hardcoded token. The runtime instructions therefore omit a critical step (authentication) and give the agent no guidance about credential handling.
Install Mechanism
There is no install spec (instruction-only), which minimizes disk install risk. However the code depends on the third-party Python package 'tushare' but does not declare that dependency in the manifest or SKILL.md, so runtime failures are possible if the environment lacks it.
!
Credentials
The skill requests no environment variables in metadata, yet includes a hardcoded secret token in source code. This leaks an access credential (the embedded Tushare token) and prevents the user from supplying their own token — both are disproportionate and insecure.
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify system or other skill configurations. Autonomous invocation defaults are normal and not by themselves concerning here.
What to consider before installing
Do not install or run this skill as-is. The included Python file contains a hardcoded Tushare API token — using the skill will expose that token and use someone else's credentials for API calls. Ask the author to remove the embedded token and instead declare a required TUSHARE_TOKEN environment variable (document it in SKILL.md). If this token belongs to you, rotate/revoke it immediately and replace it with a personal token supplied via a secure env var. Also request that the skill manifest declare its dependency on the 'tushare' Python package so you can install it deliberately. If you must test, run it in an isolated environment and avoid using production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezazwjygn6kkvx3d2wjfbbx83qr21stockvk97ezazwjygn6kkvx3d2wjfbbx83qr21tusharevk97ezazwjygn6kkvx3d2wjfbbx83qr21
306downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
@ghjkkkkkklkk
lateststocktushare
Download

Tushare 股票数据源

从 Tushare 获取 A 股股票基础数据,支持按股票代码查询。

输入参数

  • ts_code (string, 可选): 股票代码,如 "000001.SZ"
  • limit (int, 可选): 返回数据条数,默认 1

输出结果

  • status: 执行状态(success/error)
  • count: 返回数据条数
  • data: 股票基础数据列表

Comments

Loading comments...