Yahoo Finance
PassAudited by ClawScan on May 1, 2026.
Overview
This is a read-only Yahoo Finance helper with no credential access, but its setup relies on external installers/dependencies and a referenced CLI script that is not included in the supplied files.
This skill appears benign for public market-data lookup. Before using it, verify any `yf` script you plan to run and install uv/dependencies only from trusted sources.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing uv and Python packages can add third-party software to the user's machine.
The setup tells users to run an external installer and later auto-install Python packages. This is disclosed and purpose-aligned for a CLI, but it depends on external software provenance outside the supplied artifact.
curl -LsSf https://astral.sh/uv/install.sh | sh ... First run will install dependencies (yfinance, rich) to uv's cache.
Install uv from a trusted source, prefer trusted package-manager options where possible, and be aware that yfinance/rich dependencies will be fetched on first run.
If the user obtains a `yf` file from elsewhere, that file would be the code actually executed and possibly made globally available on PATH.
The instructions prepare and optionally persist a local `yf` executable, but the supplied artifact set contains only SKILL.md and no `yf` code file. This is a provenance gap, not evidence of malicious behavior.
chmod +x /path/to/skills/yahoo-finance/yf; ln -sf /path/to/skills/yahoo-finance/yf /usr/local/bin/yf
Do not chmod, symlink, or run a `yf` executable unless it comes from a trusted source and its contents have been reviewed.