ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

yahooquery

v1.0.0

Access Yahoo Finance data including real-time pricing, fundamentals, analyst estimates, options, news, and historical data via the yahooquery Python library.

1· 1.1k·1 current·1 all-time
by@512z
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the SKILL.md contents: the files are documentation for the yahooquery library (Ticker, Screener, Research) and the APIs described align with Yahoo Finance functionality.
Instruction Scope
The SKILL.md stays within the expected scope (calling yahooquery functions). It references premium login (username/password), Selenium for login, session/crumb sharing, and recommends env vars (YF_USERNAME/YF_PASSWORD) — these are relevant to Yahoo Finance Premium features but do involve handling user credentials and browser automation, so the agent or user should be careful when enabling those features.
Install Mechanism
This is an instruction-only skill with no install spec or code files; that is low-risk. Note: because it documents a Python library but does not install it, the runtime environment must already have the yahooquery package (and Selenium/webdriver for Premium) available or the agent may need to install them.
Credentials
The skill declares no required environment variables in metadata, which is reasonable for general use. The docs advise using YF_USERNAME/YF_PASSWORD (and passing username/password to Research/Ticker) for premium features — those credentials are proportionate to the documented Research functionality but are sensitive. There is no request for unrelated secrets or external credentials.
Persistence & Privilege
always is false, no install/persistence is requested, and the skill does not ask to modify agent/system configs. Autonomous invocation is allowed (platform default) but not combined with other red flags.
Assessment
This skill is essentially documentation for the yahooquery Python library and appears internally consistent. Before installing/using it: 1) ensure the runtime already has the yahooquery package (and Selenium + a webdriver if you plan to use Premium); this skill will not install those for you. 2) Only provide Yahoo Premium credentials (username/password) if you trust the environment — the docs recommend storing them in env vars (YF_USERNAME/YF_PASSWORD), so avoid plaintext files and prefer ephemeral or scoped credentials where possible. 3) Review network and browser-automation permissions: Selenium-based login automates a browser and may require a webdriver and network access to Yahoo. 4) The skill owner and source are unknown and there's no homepage; if you want greater assurance, prefer obtaining the official yahooquery package from a trusted source (PyPI or the project's GitHub) and review its code before allowing any agent to use your credentials. 5) If you do not need Premium features, avoid passing credentials to reduce risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk9707gnadzv7rapm5ktakfnm1n80vpyf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments