tushare-base
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tushare-base Version: 1.0.0 The skill bundle is benign. It provides a legitimate interface to the Tushare financial data API. The `SKILL.md` clearly documents the skill's purpose, prerequisites (including the `TUSHARE_TOKEN` environment variable), and usage examples. The `scripts/market.py` script correctly utilizes `os.getenv` to retrieve the API token and interacts solely with the `tushare` library to fetch and display financial data. There is no evidence of data exfiltration, malicious execution, persistence, prompt injection against the agent, or obfuscation. All actions are aligned with the stated purpose of fetching financial market data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests made by the skill can use your Tushare token and may consume quota or require paid Tushare permissions.
The script reads a Tushare API token from the environment and uses it to authenticate provider API calls; this is expected for the stated purpose but gives the skill use of the user's Tushare account/quota.
token = os.getenv('TUSHARE_TOKEN') ... ts.set_token(token) ... return ts.pro_api()Use a dedicated or limited Tushare token if available, avoid exposing the token in shared logs or files, and prefer metadata that explicitly declares TUSHARE_TOKEN as a required credential.
Installing dependencies can affect your user Python environment and requires trusting the packages being installed.
The setup instructions install unpinned third-party Python packages from the package ecosystem; this is normal for a Tushare wrapper but relies on external package provenance and lacks a lockfile or install spec.
pip3 install tushare pandas --user
Install dependencies in a virtual environment, verify package names and sources, and consider pinning known-good versions.