Back to skill

Security audit

tushare-finance

Security checks across malware telemetry and agentic risk

Overview

The skill's core market-data use is coherent, but it also bundles credential-based CAPTCHA-solving documentation automation that should be reviewed before installation.

Install only if you are comfortable with a skill that includes more than read-only finance queries. For normal Tushare use, provide only a TUSHARE_TOKEN and avoid running scripts/crawl_docs.py unless you intentionally want documentation sync. Do not provide TUSHARE_ACCOUNT or TUSHARE_PASSWORD to automation without reviewing the script and Tushare terms, and treat exported datasets as potentially sensitive financial or personal data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README describes functionality beyond simple financial-data retrieval: an automated crawler that logs into Tushare, solves captchas, scrapes large numbers of pages, writes repository files, and opens pull requests. In a skill advertised as a data-access tool, this materially expands the operational and security scope, introducing credential use, browser automation, filesystem modification, and remote content ingestion that could be abused or surprise users.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automated login, captcha solving, and large-scale scraping are high-risk capabilities that are not necessary for the stated end-user purpose of retrieving market data through Tushare APIs. This mismatch increases the chance of hidden side effects, policy violations, credential exposure, or unauthorized automation being bundled into a seemingly benign skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This document exposes a non-financial `film_record` interface inside a skill described as focused on Chinese financial market, fund, futures, bond, and macroeconomic data. That scope mismatch can cause overbroad tool access, misleading users and downstream agents into querying unrelated datasets, which weakens least-privilege boundaries and increases the chance of inappropriate data handling or policy bypass.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented `teleplay_record` interface exposes television production filing data, which is unrelated to the skill’s declared purpose of providing financial, market, fund, futures, bond, and macroeconomic data. This broadens the skill’s effective capability beyond user expectations and can enable unintended data access or policy bypass if downstream systems trust the manifest scope for authorization or routing decisions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Including entertainment and cultural administrative record retrieval in a finance-focused skill creates a scope mismatch that may mislead users, reviewers, or calling agents about what data the skill can access. In context, this is more dangerous because the skill metadata strongly suggests finance-only usage, so hidden unrelated capabilities increase the risk of unauthorized or unexpected data retrieval.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file documents access to CCTV News transcripts and frames them as material for studying party directives and values, which is outside the declared finance/market/macroeconomic scope of the skill. In a finance skill, this creates a scope-expansion risk: the agent may retrieve or surface political content unrelated to the user’s financial request, increasing the chance of propaganda injection, off-mission responses, and user trust violations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The introductory description explicitly says the dataset is intended to help study party guidance and promote socialist values, which conflicts with the stated purpose of a financial-market data skill. That mismatch is dangerous because embedded ideological framing can steer model behavior or outputs toward political persuasion under the cover of a finance tool, especially when the agent ingests documentation as trusted capability context.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file documents a movie box-office API inside a skill whose declared purpose is finance-market and macroeconomic data. This scope drift can cause the agent to invoke or expose capabilities unrelated to user expectations, weakening policy boundaries and increasing the chance of unintended data access or misuse of the skill outside its approved domain.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill includes an export_data method that writes arbitrary files to a caller-supplied path, which exceeds the stated data-retrieval purpose in the manifest. In an agent setting, this creates an unnecessary file-write primitive that could be abused to overwrite local files, persist sensitive market data or derived outputs, or write into unintended locations if the path is influenced by untrusted input.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code automates login and CAPTCHA solving with OCR to access documentation pages, which is unrelated to the stated finance-data retrieval purpose and indicates bypass of an interactive access control step. Even if intended for convenience, automating CAPTCHA handling can violate service protections and expands the skill's behavior into credential use and anti-bot evasion, increasing abuse and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that the workflow performs automated login, CAPTCHA solving, and document crawling, but does not provide user-facing warnings about handling Tushare account credentials or the fact that the skill/workflow performs external network activity and repository writes. Lack of transparency around secret use and outbound actions can mislead operators into exposing credentials or enabling automation they did not intend.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill tells users to export a long-lived Tushare token into an environment variable but provides no warning about secret handling, shell history exposure, process inheritance, or avoiding logging/printing the token. While common practice, this can still lead to accidental credential disclosure in shared shells, debug output, or persisted shell config files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document exposes and exemplifies multiple personal data elements for named individuals, including name, gender, nationality, birthday, employment dates, and optional resume content, without any privacy warning, minimization guidance, or usage restrictions. In a finance-data skill, this increases the chance that an agent will surface or process personally identifiable information about company managers unnecessarily, enabling privacy-invasive profiling or over-collection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document instructs users to obtain data through off-platform channels (WeChat contact and network-disk delivery) instead of a controlled API flow. This creates privacy, social-engineering, and data-handling risks because users may disclose account or business information through informal channels and receive files outside the platform's normal trust and auditing boundaries.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The document explicitly promotes a crawler-based real-time quote interface using third-party sources and notes that data does not pass through Tushare servers, but it does not clearly warn users that requests will be sent to external providers and may expose query patterns, IP address, or account-linked usage context. In a finance data skill, this is a genuine transparency and privacy concern, though the impact is limited because the transmitted data is typically stock codes rather than highly sensitive personal data.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The text promotes a specific political ideology without any user opt-in or relevance filter, which is inappropriate in a finance-focused skill. If surfaced to users or used as latent tool context, it can bias responses, inject unsolicited political messaging, and undermine neutrality and user expectations.

Unpinned Dependencies

Low
Category
Supply Chain
Content
tushare>=1.2.60
pandas>=1.5.0
Confidence
91% confidence
Finding
tushare>=1.2.60

Unpinned Dependencies

Low
Category
Supply Chain
Content
tushare>=1.2.60
pandas>=1.5.0
Confidence
93% confidence
Finding
pandas>=1.5.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.