Back to skill
Skillv1.0.0
ClawScan security
Yahoo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 10:54 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a Yahoo Finance scraping and watchlist helper; it requests no unrelated credentials and contains only local, opt-in persistence.
- Guidance
- This skill is coherent for Yahoo Finance lookups: it runs local Python scripts that fetch finance.yahoo.com and the Yahoo search API and optionally stores opt-in notes in ~/yahoo/. Before installing, confirm you are comfortable with outbound HTTP(S) access to Yahoo from your environment and that the agent may run these scripts when invoked. The setup explicitly asks for permission before creating or updating local files and recommends restrictive file permissions — if you want to avoid persistence, decline setup and run ad-hoc queries only. No credentials are requested, but as with any tool that fetches remote data, review outputs before acting on them and avoid storing any sensitive account info in the local memory files.
Review Dimensions
- Purpose & Capability
- okName/description match the included Python scripts and SKILL.md: the skill fetches Yahoo Finance pages, resolves symbols, and produces briefs. Declared requirement (python3) and the metadata config path (~/yahoo/) are appropriate for the stated functionality.
- Instruction Scope
- okRuntime instructions are narrowly focused: run the three scripts, optionally create/read/write a local ~/yahoo/ folder for watchlists/memory (explicitly opt-in), and use Yahoo endpoints. There are no instructions to read unrelated system files, exfiltrate secrets, or call unexpected external endpoints.
- Install Mechanism
- okThere is no external install spec or remote download. The skill is instruction + included Python scripts only, so nothing is pulled from third-party URLs at install time. This is a low-risk install posture.
- Credentials
- okThe skill requires no environment variables or credentials. The only configured path is a user home subdirectory (~/yahoo/) used for opt-in local persistence, which is justified for watchlists and briefs.
- Persistence & Privilege
- okalways is false. The skill may create ~/yahoo/ for local memory, but setup.md requires user approval and recommends safe file permissions (chmod 700/600). It does not request system-wide config changes or other skills' credentials.