tushare-mcp
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or critical security vulnerabilities were identified in the analyzed files. The skill correctly implements the Model Context Protocol to provide financial data retrieval tools via the Tushare Pro SDK.
- [EXTERNAL_DOWNLOADS]: The skill depends on standard Python libraries including
tushare,pandas, andfastmcp. These dependencies are necessary for its primary function of financial data retrieval and processing. - [SAFE]: The skill implements a local SQLite caching mechanism in
src/tushare_mcp/storage.pyto persist fetched financial data. This is a documented feature and uses parameterized queries to prevent SQL injection. - [SAFE]: Data ingested from the external Tushare Pro API presents a surface for indirect prompt injection. However, given the structured nature of financial data and the lack of dangerous local capabilities (e.g., shell execution or arbitrary file writing) linked to the data processing logic, the risk is minimal.
- Ingestion points:
src/tushare_mcp/client.py(API responses from Tushare SDK). - Boundary markers: Absent; data is returned to the agent in structured JSON or Markdown formats.
- Capability inventory: Restricted to SQLite data storage and API requests; no subprocess or unsafe file operations detected in the skill code.
- Sanitization: Standard JSON/DataFrame conversion; no specific content filtering for LLM instructions is implemented.
Audit Metadata