ClawHub

yahooquery

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Yahoo Finance skill with disclosed finance-data and optional premium-login usage, but users should handle credentials and TLS settings carefully.

Install only if you intentionally want yahooquery-based Yahoo Finance access. Use premium credentials only when needed, supply them through protected environment variables or a secrets manager, do not paste real passwords into shared prompts or checked-in files, keep TLS verification enabled, and avoid untrusted proxies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example demonstrates embedding account credentials directly in code and reusing an authenticated session and crumb across objects without any warning about secret handling, storage, or account-data exposure. In documentation for a finance library, users commonly copy examples verbatim, so this can normalize unsafe credential practices and increase the chance of credential leakage through source control, logs, notebooks, or shared environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation encourages users to provide Yahoo Finance Premium credentials directly to the library and only notes environment variables as a convenience, without warning about secret handling, storage, logging, or exposure risks. In a skill that may be used in automated agent workflows, this increases the chance of plaintext credential leakage through code, config files, prompts, notebooks, or telemetry.

Missing User Warnings

High
Confidence
98% confidence
Finding
The example explicitly demonstrates `verify=False`, which disables TLS certificate validation and enables man-in-the-middle interception or tampering of traffic. Because this skill accesses remote finance data and may also handle authenticated sessions, showing this without a strong warning can normalize insecure network practices and expose credentials or returned data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation demonstrates instantiating the Research class with a Yahoo username and password directly in code, but it does not warn users against hardcoding credentials or explain safer handling practices. In agent or notebook contexts, this can lead to accidental credential exposure through source control, logs, screenshots, prompts, or shared execution environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The examples repeatedly show `username='username@yahoo.com', password='password'` inline, normalizing the practice of placing secrets directly in code. In an agent skill context, users may copy-paste these patterns with real credentials into notebooks, repos, logs, or prompts, leading to accidental secret exposure and account compromise.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
```python hl_lines="3"
    Ticker(
        'aapl',
        verify=False
    )
    ```
Confidence
99% confidence
Finding
verify=False

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal