Yahoo Finance
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: yahoo-finance Version: 1.0.0 The skill bundle is classified as suspicious due to the use of high-risk installation methods for the `uv` package manager, specifically `curl -LsSf https://astral.sh/uv/install.sh | sh` and `powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"` found in `SKILL.md`. While `uv` is a legitimate tool and `astral.sh` is its official domain, these methods involve downloading and executing arbitrary remote scripts, which bypasses package manager integrity checks and presents a significant security risk, even if plausibly needed for the skill's stated purpose. There is no clear evidence of intentional malicious behavior like data exfiltration or persistence.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing uv and Python packages can add third-party software to the user's machine.
The setup tells users to run an external installer and later auto-install Python packages. This is disclosed and purpose-aligned for a CLI, but it depends on external software provenance outside the supplied artifact.
curl -LsSf https://astral.sh/uv/install.sh | sh ... First run will install dependencies (yfinance, rich) to uv's cache.
Install uv from a trusted source, prefer trusted package-manager options where possible, and be aware that yfinance/rich dependencies will be fetched on first run.
If the user obtains a `yf` file from elsewhere, that file would be the code actually executed and possibly made globally available on PATH.
The instructions prepare and optionally persist a local `yf` executable, but the supplied artifact set contains only SKILL.md and no `yf` code file. This is a provenance gap, not evidence of malicious behavior.
chmod +x /path/to/skills/yahoo-finance/yf; ln -sf /path/to/skills/yahoo-finance/yf /usr/local/bin/yf
Do not chmod, symlink, or run a `yf` executable unless it comes from a trusted source and its contents have been reviewed.