ClawHub

Yahoo Finance CLI

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Yahoo Finance lookup helper with no evidence of hidden actions, account access, trading authority, or destructive behavior.

Before installing, confirm the `yahoo-finance` command on your system is the expected `yahoo-finance2` package and that you are comfortable with Yahoo Finance lookups for requested symbols or portfolio holdings. Treat the tool's output as market data, not financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description uses extremely broad trigger language that can cause the agent to invoke this skill for a wide range of ordinary finance-related requests, including cases where live market data is unnecessary. This creates an overreach/inappropriate tool-selection risk: the agent may disclose user queries to an external data tool more often than needed, reduce user choice, and crowd out safer or more relevant handling paths.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The description explicitly says the agent 'CANNOT answer financial data questions from memory' and 'MUST use this skill instead,' which attempts to override normal agent judgment and forces tool use without user opt-in. In context, this is risky because it can compel unnecessary external calls for low-risk or non-live queries, increasing data exposure and making the agent more susceptible to prompt-level routing manipulation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal