Today Earnings
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: today-earnings Version: 4.3.4 The skill bundle is a legitimate tool designed to scrape earnings data from Yahoo Finance using a Chrome Extension and Native Messaging architecture. While the installation script (native-host/install.sh) performs high-privilege actions such as writing to browser configuration directories and modifying the Windows registry, these are standard requirements for establishing a Native Messaging Host. The code logic across the background scripts, content scripts, and the Node.js bridge (host.js) is transparent, well-documented in design.md, and lacks any indicators of data exfiltration, unauthorized remote execution, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill changes Chrome/Chromium Native Messaging configuration so Chrome can launch the local host script.
The installer registers a Chrome Native Messaging host at the user level. This is expected for the stated architecture, but it is a meaningful local browser integration users should review before running.
REG ADD "HKCU\Software\Google\Chrome\NativeMessagingHosts\com.today.earnings.host"
Run the install script only from a trusted checkout, verify the extension ID and host path, and remove the Chrome extension/native host registration if you stop using the skill.
When invoked, the skill can open a Yahoo Finance tab in Chrome, extract page data, and pass it through the local Native Host.
The extension can open/manage tabs, use native messaging, and run on Yahoo Finance pages. These permissions fit the scraping workflow and are host-scoped, but they are sensitive browser capabilities.
"permissions": ["tabs", "scripting", "nativeMessaging", "alarms"], "host_permissions": ["https://finance.yahoo.com/*"]
Keep the extension loaded only if you need this functionality, and review future updates for any expansion beyond finance.yahoo.com.
Other local processes with access to the socket may be able to trigger the extension to fetch Yahoo Finance calendar data while the host is running.
The local CLI-to-Native-Host bridge listens on a fixed Unix socket path and forwards JSON requests to the extension. The artifacts do not show authentication on that local socket, though the implemented action is limited to fetching Yahoo earnings data.
const SOCKET_PATH = '/tmp/today-earnings.sock'; ... socketServer = net.createServer((socket) => {Use this on a trusted local machine and consider tightening socket permissions or using a per-user private runtime directory if the skill is maintained further.
The Native Messaging bridge may stay active while Chrome is running, rather than only during the moment you call the script.
The extension keeps the service worker/native host connection alive and reconnects on Chrome startup. This persistence is purpose-aligned but means the local bridge can remain available beyond a single command run.
chrome.alarms.create('keepAlive', { periodInMinutes: 0.4 }); ... chrome.runtime.onStartup.addListener(() => { connectToHost(); });Disable or remove the Chrome extension and Native Host registration when you no longer need the skill.