Fetch Chinese stock and futures market data via Tushare API. Supports stock quotes, futures data, company fundamentals, and macroeconomic indicators. Use whe...
Security Analysis
medium confidenceThe skill appears to be a Tushare client (coherent), but the manifest and runtime instructions disagree about required credentials and there is a bundled Python script — these mismatches warrant caution before installing or trusting with secrets.
Name/description match the included code: the bundled scripts call the Tushare Python API to fetch stock, futures and macro data. However the registry metadata claims no required env vars/credentials while the SKILL.md and the script clearly require a TUSHARE_TOKEN — this mismatch is unexpected and should be corrected.
SKILL.md gives concrete CLI usage and correctly limits actions to calling the local Python script and the Tushare API. It also instructs the user to add TUSHARE_TOKEN to ~/.zshrc and to run pip3 install tushare pandas --user; that guidance modifies user shell configuration (advice to write to ~/.zshrc) and asks to install packages — both are normal for a client tool but are out-of-band changes a user should review.
No install spec in the registry (instruction-only), and the README tells users to pip-install tushare and pandas. That is reasonable for a Python tool. There are no opaque downloads or archive extraction in the skill manifest. Because a code file is bundled, the skill will run local Python code; the user should inspect that code (scripts/market.py) before running.
The runtime documentation and code require a single TUSHARE_TOKEN environment variable (used by get_pro_api()), but the skill metadata lists no required credentials or primaryEnv. This omission is an inconsistency. Requiring one API token for Tushare is proportionate — but the manifest must reflect it. Also SKILL.md suggests exporting the token into ~/.zshrc, which could persist a secret in a shell profile; users should avoid committing tokens into shared profiles or posting them in chats.
The skill does not request always:true and does not declare any system config paths or other skills' configs. It does advise the user to add an env var to ~/.zshrc (user-side change), but the skill itself does not request elevated or persistent platform privileges.
Guidance
This skill is plausibly a normal Tushare command-line client, but there are a few things to check before installing or running it: (1) The SKILL.md and scripts require TUSHARE_TOKEN, yet the registry metadata does not declare that credential — don't trust the registry entry alone; verify you supply the token only to the Tushare service. (2) Inspect scripts/market.py yourself (it is bundled) to confirm it only uses the Tushare API and does not exfiltrate data to other endpoints. (3) Prefer using a virtual environment for the pip install (pip3 install --user is convenient but isolates less clearly). (4) Avoid pasting your token into shared UIs or chat; if you persist the token in your shell profile, be aware it will live on disk. (5) If the skill came from an unknown source or you need higher assurance, ask the publisher for a homepage/source URL or request that the manifest be corrected to declare TUSHARE_TOKEN as a required env var.
Latest Release
v1.0.5
- Initial release of the tushare skill. - Fetch Chinese stock and futures market data via the Tushare API. - Supports stock quotes, futures data, company fundamentals, and macroeconomic indicators (GDP, CPI, PPI). - Requires users to configure TUSHARE_TOKEN as an environment variable. - Includes quick-start commands and troubleshooting tips.
More by @AlphaFactor
Published by @AlphaFactor on ClawHub
