Today Earnings
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it claims—fetch public Yahoo Finance earnings data—but it requires a real Chrome extension plus Native Messaging host that runs locally while Chrome is open.
Before installing, be aware this is not just a prompt-only helper: it asks you to load a Chrome extension and register a local Native Messaging host. The provided code appears purpose-aligned and does not show credential theft, hidden exfiltration, or destructive behavior, but you should review the install path, keep it on a trusted machine, and remove the extension/native host if you stop using it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill changes Chrome/Chromium Native Messaging configuration so Chrome can launch the local host script.
The installer registers a Chrome Native Messaging host at the user level. This is expected for the stated architecture, but it is a meaningful local browser integration users should review before running.
REG ADD "HKCU\Software\Google\Chrome\NativeMessagingHosts\com.today.earnings.host"
Run the install script only from a trusted checkout, verify the extension ID and host path, and remove the Chrome extension/native host registration if you stop using the skill.
When invoked, the skill can open a Yahoo Finance tab in Chrome, extract page data, and pass it through the local Native Host.
The extension can open/manage tabs, use native messaging, and run on Yahoo Finance pages. These permissions fit the scraping workflow and are host-scoped, but they are sensitive browser capabilities.
"permissions": ["tabs", "scripting", "nativeMessaging", "alarms"], "host_permissions": ["https://finance.yahoo.com/*"]
Keep the extension loaded only if you need this functionality, and review future updates for any expansion beyond finance.yahoo.com.
Other local processes with access to the socket may be able to trigger the extension to fetch Yahoo Finance calendar data while the host is running.
The local CLI-to-Native-Host bridge listens on a fixed Unix socket path and forwards JSON requests to the extension. The artifacts do not show authentication on that local socket, though the implemented action is limited to fetching Yahoo earnings data.
const SOCKET_PATH = '/tmp/today-earnings.sock'; ... socketServer = net.createServer((socket) => {Use this on a trusted local machine and consider tightening socket permissions or using a per-user private runtime directory if the skill is maintained further.
The Native Messaging bridge may stay active while Chrome is running, rather than only during the moment you call the script.
The extension keeps the service worker/native host connection alive and reconnects on Chrome startup. This persistence is purpose-aligned but means the local bridge can remain available beyond a single command run.
chrome.alarms.create('keepAlive', { periodInMinutes: 0.4 }); ... chrome.runtime.onStartup.addListener(() => { connectToHost(); });Disable or remove the Chrome extension and Native Host registration when you no longer need the skill.