A股股票投研分析方法论。当用户要求按股票名称或代码分析中国A股、判断公司基本面/技术面/估值/财务质量/股东结构/主营业务、做专题研究(如AI、半导体、新能源关联度)、从个股推演行业趋势、做竞争格局分析或风险排查,或基于Tushare/公开市场数据生成股票分析时使用。用户提问形式包括"帮我分析XX股票""XX的基...
Security Analysis
medium confidenceThe skill appears to do what it claims (fetch Tushare/CNInfo data and provide stock analysis guidance), but there are metadata and packaging inconsistencies you should be aware of before installing.
The skill's declared purpose (A-share research using Tushare and public reports) matches the included code and SKILL.md: the data_fetcher uses Tushare and CNInfo and provides dataset-level fetch commands that the analysis instructions rely on. However, the package metadata does not declare the required TUSHARE_TOKEN or the Python dependencies (tushare, requests, PyPDF2). That mismatch between what the skill needs at runtime and what the registry metadata lists is a coherence concern (could be sloppy packaging or an oversight).
SKILL.md confines the agent to using scripts/data_fetcher.py only for atomic data retrieval and places analysis logic in the markdown instructions. It explicitly requires online searches and cites the need to download/parse company reports (PDF) when necessary. The instructions do not ask the agent to read arbitrary system files or unrelated credentials; downloading reports to a local data/reports directory is allowed and in-scope for the stated purpose.
There is no install spec (instruction-only install), which is low-risk in itself, but the shipped Python script depends on external packages (tushare, requests, PyPDF2). Those dependencies are not declared in metadata and there is no automated install step. This will cause runtime failures unless the environment is prepared, and it increases the chance a user will manually install packages from PyPI without guidance.
The SKILL.md and data_fetcher.py require a TUSHARE_TOKEN (read from environment or a .env file). Requesting a Tushare token is proportional to the skill's purpose. However, the registry metadata lists no required environment variables or primary credential — an important omission. The code also reads cwd/.env which may expose any tokens stored there; users should be aware the script will attempt to read that file if the env var is not set.
The skill does not request 'always: true' and does not modify other skills or global agent settings. It can download PDFs and write them into a local directory (e.g., data/reports) which is appropriate for its purpose but means it will create files in the working directory when asked to fetch reports.
Guidance
This skill's behavior is generally coherent with its stated purpose (A‑share research using Tushare and public reports), but the metadata is incomplete and you should take a few precautions before installing: - Provide a TUSHARE_TOKEN: The skill expects a TUSHARE_TOKEN (env var or a .env file in the current working directory). Add this token only if you trust the skill and store it securely. - Prepare dependencies: The included script requires Python packages (tushare, requests, PyPDF2). The skill provides no install steps; consider installing these in an isolated virtualenv or sandbox before use. - File writes: The fetcher can download PDF reports to a local directory (e.g., data/reports). Expect files to be written to the agent's working directory when you request report downloads. - Metadata mismatch: The registry failing to declare required env vars/dependencies is a packaging oversight and increases operational risk. Prefer skills that declare required credentials and dependencies explicitly. - Review code if concerned: The fetcher is short and readable; if you have doubts, inspect scripts/data_fetcher.py yourself (it validates CNInfo hosts and avoids arbitrary remote hosts). If you lack the ability to review code, run the skill in a restricted environment (container or VM) and avoid providing high-privilege credentials. If these points are acceptable and you sandbox the execution, the skill appears usable for the stated task. If you need higher assurance, ask the publisher to update the metadata to declare TUSHARE_TOKEN and required Python packages and to provide an install script or requirements.txt.
Latest Release
v2.2.2
Update stock research methodology, trigger patterns, and CNInfo report retrieval support.
Popular Skills
Published by @chinfi-codex on ClawHub
