tushare-base
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts match a Tushare market-data helper and show no evidence of destructive or deceptive behavior, but users should notice the API token and dependency setup.
Install this only if you intend to use Tushare market data. Set TUSHARE_TOKEN deliberately, keep it out of shared files and transcripts, and use a virtual environment for the Python dependencies. The artifacts do not show account mutation or local data access beyond the expected provider API calls.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests made by the skill can use your Tushare token and may consume quota or require paid Tushare permissions.
The script reads a Tushare API token from the environment and uses it to authenticate provider API calls; this is expected for the stated purpose but gives the skill use of the user's Tushare account/quota.
token = os.getenv('TUSHARE_TOKEN') ... ts.set_token(token) ... return ts.pro_api()Use a dedicated or limited Tushare token if available, avoid exposing the token in shared logs or files, and prefer metadata that explicitly declares TUSHARE_TOKEN as a required credential.
Installing dependencies can affect your user Python environment and requires trusting the packages being installed.
The setup instructions install unpinned third-party Python packages from the package ecosystem; this is normal for a Tushare wrapper but relies on external package provenance and lacks a lockfile or install spec.
pip3 install tushare pandas --user
Install dependencies in a virtual environment, verify package names and sources, and consider pinning known-good versions.