Skillv1.0.0

ClawScan security

yahooquery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:31 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a documentation-only wrapper around the yahooquery Python library and its requirements and instructions are consistent with that purpose — nothing in the package appears to perform unrelated or suspicious actions.
Guidance: This skill is essentially documentation for the yahooquery Python library and appears internally consistent. Before installing/using it: 1) ensure the runtime already has the yahooquery package (and Selenium + a webdriver if you plan to use Premium); this skill will not install those for you. 2) Only provide Yahoo Premium credentials (username/password) if you trust the environment — the docs recommend storing them in env vars (YF_USERNAME/YF_PASSWORD), so avoid plaintext files and prefer ephemeral or scoped credentials where possible. 3) Review network and browser-automation permissions: Selenium-based login automates a browser and may require a webdriver and network access to Yahoo. 4) The skill owner and source are unknown and there's no homepage; if you want greater assurance, prefer obtaining the official yahooquery package from a trusted source (PyPI or the project's GitHub) and review its code before allowing any agent to use your credentials. 5) If you do not need Premium features, avoid passing credentials to reduce risk.

Review Dimensions

Purpose & Capability: okThe name/description match the SKILL.md contents: the files are documentation for the yahooquery library (Ticker, Screener, Research) and the APIs described align with Yahoo Finance functionality.
Instruction Scope: noteThe SKILL.md stays within the expected scope (calling yahooquery functions). It references premium login (username/password), Selenium for login, session/crumb sharing, and recommends env vars (YF_USERNAME/YF_PASSWORD) — these are relevant to Yahoo Finance Premium features but do involve handling user credentials and browser automation, so the agent or user should be careful when enabling those features.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files; that is low-risk. Note: because it documents a Python library but does not install it, the runtime environment must already have the yahooquery package (and Selenium/webdriver for Premium) available or the agent may need to install them.
Credentials: noteThe skill declares no required environment variables in metadata, which is reasonable for general use. The docs advise using YF_USERNAME/YF_PASSWORD (and passing username/password to Research/Ticker) for premium features — those credentials are proportionate to the documented Research functionality but are sensitive. There is no request for unrelated secrets or external credentials.
Persistence & Privilege: okalways is false, no install/persistence is requested, and the skill does not ask to modify agent/system configs. Autonomous invocation is allowed (platform default) but not combined with other red flags.