tushare-base
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests made by the skill can use your Tushare token and may consume quota or require paid Tushare permissions.
The script reads a Tushare API token from the environment and uses it to authenticate provider API calls; this is expected for the stated purpose but gives the skill use of the user's Tushare account/quota.
token = os.getenv('TUSHARE_TOKEN') ... ts.set_token(token) ... return ts.pro_api()Use a dedicated or limited Tushare token if available, avoid exposing the token in shared logs or files, and prefer metadata that explicitly declares TUSHARE_TOKEN as a required credential.
Installing dependencies can affect your user Python environment and requires trusting the packages being installed.
The setup instructions install unpinned third-party Python packages from the package ecosystem; this is normal for a Tushare wrapper but relies on external package provenance and lacks a lockfile or install spec.
pip3 install tushare pandas --user
Install dependencies in a virtual environment, verify package names and sources, and consider pinning known-good versions.