tushare
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Risk of Indirect Prompt Injection from untrusted external data.
- Ingestion points: The skill fetches external text data from several sources, including financial news (
news), company announcements (anns_d), interactive Q&A platforms (irm_qa_sh,irm_qa_sz), and research reports (research_report). - Boundary markers: The documentation and provided scripts (e.g.,
scripts/stock_data_example.py) lack explicit boundary markers or instructions to the AI agent to ignore potentially malicious commands embedded in the fetched text. - Capability inventory: Scripts use
tushareandpandasto retrieve and display data. An agent using this skill typically has broad capabilities to process this information. - Sanitization: No sanitization or filtering of the external text content was observed in the example scripts or markdown documentation.
- [EXTERNAL_DOWNLOADS]: The skill documentation (
SKILL.md) provides instructions to install thetusharePython library from PyPI. This is the official package provided by the vendor for accessing their service.
Audit Metadata