ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tushare-finance

获取中国金融市场数据(A股、港股、美股、基金、期货、债券)。支持220+个Tushare Pro接口:股票行情、财务报表、宏观经济指标。当用户请求股价数据、财务分析、指数行情、GDP/CPI等宏观数据时使用。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
37 · 14.3k · 155 current installs · 162 all-time installs
by@stanleychanh
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, README, SKILL.md, reference docs and the included Python client (scripts/api_client.py) all consistently describe a Tushare Pro data client — requiring a TUSHARE_TOKEN and Python packages. However the top-level registry summary reported 'Required env vars: none' while metadata.json and SKILL.md explicitly reference TUSHARE_TOKEN and python3; this mismatch is unexplained and should be clarified.
Instruction Scope
SKILL.md instructs the agent to ask the user for a Tushare token, verify Python and required packages, and call Tushare APIs. The runtime instructions do not ask the agent to read unrelated system files, other credentials, or to post data to unexpected endpoints. The guidance to add the token to ~/.bashrc is standard but is a user-side persistence choice (see guidance).
Install Mechanism
There is no formal install spec in the registry (instruction-only), which is lower risk, but the package includes many files and a Python client. That combination means installing/using the skill will require running pip and executing local Python code manually — the skill will not automatically install dependencies. This is not malicious but is an operational/packaging inconsistency the user should notice.
!
Credentials
The skill legitimately needs a TUSHARE_TOKEN to call Tushare Pro and the code/docs expect Python and packages (tushare, pandas). Those are proportionate. However the registry's reported 'Required env vars: none' conflicts with metadata.json's openclaw.requires listing TUSHARE_TOKEN and python3. That discrepancy could lead to silent failure or misconfiguration and should be resolved before trusting the skill with credentials.
Persistence & Privilege
always is false and the skill is user-invocable. There is no evidence the skill requests permanent platform-wide privileges or modifies other skills' configs. Instruction to add the token to shell rc files is a user action, not an automatic privilege escalation by the skill.
What to consider before installing
This skill appears to be a Tushare Pro client (220+ endpoints) and needs a TUSHARE_TOKEN and a Python environment. Before installing: - Confirm which definition is authoritative: the registry view reported no env vars but metadata.json and SKILL.md require TUSHARE_TOKEN and python3 — resolve this mismatch. - Inspect scripts/api_client.py (and any other scripts) to ensure network calls are limited to the Tushare API (no hidden external endpoints or telemetry). If you are not comfortable reading code, run it in an isolated environment (VM/container) first. - Prefer passing TUSHARE_TOKEN at runtime rather than permanently writing it to ~/.bashrc if the token is sensitive. Consider using a dedicated, limited-permission account/token. - Since there's no automated install spec, be prepared to pip install the declared packages (tushare, pandas, openpyxl). Check package versions and consider using a virtualenv. - Verify the referenced GitHub repository (README points to one) to confirm the source and check for recent changes or issues. If these checks are acceptable and you verify the client only talks to tushare.pro (no other endpoints), the skill is consistent with its purpose. If you cannot validate the code or the registry/metadata mismatch remains unresolved, avoid installing or provide only a low-privilege token in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.6
Download zip
latestvk97574ht5t3bxg7a1vtdjc6z49815494

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Tushare 金融数据 Skill

本 skill 通过 Tushare Pro API 获取中国金融市场数据,支持 220+ 个数据接口。

快速开始

1. Token 配置

询问用户:是否已配置 Tushare Token?

如未配置,引导用户:

  1. 访问 https://tushare.pro 注册
  2. 获取 Token
  3. 配置环境变量:export TUSHARE_TOKEN="your_token"

2. 验证依赖

检查 Python 环境:

python -c "import tushare, pandas; print('OK')"

如报错,安装依赖:

pip install tushare pandas

常用接口速查

数据类型接口方法说明
股票列表pro.stock_basic()获取所有股票列表
日线行情pro.daily()获取日线行情数据
财务指标pro.fina_indicator()财务指标(ROE等)
利润表pro.income()利润表数据
指数行情pro.index_daily()指数日线数据
基金净值pro.fund_nav()基金净值数据
GDP数据pro.gdp()国内生产总值
CPI数据pro.cpi()居民消费价格指数

完整接口列表:查看 接口文档索引

数据获取流程

  1. 查找接口:根据需求在 接口索引 找到对应接口
  2. 阅读文档:查看 reference/接口文档/[接口名].md 了解参数
  3. 编写代码 
    import tushare as ts

# 初始化(使用环境变量中的 Token)
pro = ts.pro_api()

# 调用接口
df = pro.daily(ts_code='000001.SZ', start_date='20241201', end_date='20241231')
  4. 返回结果:DataFrame 格式

参数格式说明

  • 日期:YYYYMMDD(如 20241231)
  • 股票代码:ts_code 格式(如 000001.SZ, 600000.SH)
  • 返回格式:pandas DataFrame

接口文档参考

接口索引reference/README.md

接口文档按类别组织:

  • 股票数据(39 个接口)
  • 指数数据(18 个接口)
  • 基金数据(11 个接口)
  • 期货期权(16 个接口)
  • 宏观经济(10 个接口)
  • 港股美股(23 个接口)
  • 债券数据(16 个接口)

参考资源

Files

228 total
Select a file
Select a file to preview.

Comments

Loading comments…