tushare-complete
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8) due to extensive ingestion of external content.
- Ingestion points: Interfaces like
irm_qa_sh(forum questions/answers),anns_d(company announcements), andths_hot(external hot lists) fetch text generated by third parties. - Boundary markers: Absent. The documentation does not specify the use of delimiters or 'ignore embedded instructions' warnings for external data.
- Capability inventory: The skill is designed for data analysis pipelines where fetched content influences the agent's logic and the execution of validation scripts (e.g.,
validate_data_qualityinSKILL.md). - Sanitization: Absent. There is no evidence of filtering or escaping logic applied to the external text before it enters the LLM's context.
- [CREDENTIALS_UNSAFE] (LOW): The documentation (README.md, SKILL.md) instructs users to provide a
TUSHARE_TOKENvia environment variables or direct code injection (pro = ts.pro_api('your_token_here')). While standard for this API, it creates a risk of token exposure if the agent environment is compromised. - [COMMAND_EXECUTION] (LOW): The skill provides Python code snippets for execution. While necessary for data analysis, this requires the agent to operate within a sandbox to prevent arbitrary code execution based on manipulated data inputs.
Recommendations
- AI detected serious security threats
Audit Metadata