yahoo-finance-bist
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a Yahoo Finance analysis/logger skill, but it should be reviewed because it runs local Python via an inconsistent absolute path and has unsafe local file/report handling.
Review the local Python scripts and install path before use. Use only normal ticker symbols and valid Yahoo Finance ranges/intervals, avoid logging untrusted names or symbols, and remember that the CSV/HTML/JSON files persist locally and the outputs are automated technical analysis rather than guaranteed financial advice.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could fail or run code from a different local directory than the reviewed package if that path exists.
The skill instructs execution from a fixed absolute directory named yahoo_portfoy_analiz, while the evaluated registry slug/name differ and there is no install spec tying that path to the reviewed files.
exec: python3 /home/node/.openclaw/skills/yahoo_portfoy_analiz/investing_historical_indicator.py THYAO.IS
Use package-relative paths or registered tool entry points, align the skill name/slug/install directory, and declare python3 as a required runtime.
A crafted argument could cause the exporter to create or overwrite files outside the intended export folder, depending on whether data retrieval succeeds.
The output filename is built from user-controlled symbol, --range, and --interval values without path sanitization or a check that the resolved path remains under symbol_data.
filename = f"{symbol_clean}_{range_str}_{interval}.csv"
filepath = os.path.join(data_dir, filename)
with open(filepath, "w", newline="", encoding="utf-8-sig") as f:Whitelist valid ticker/range/interval characters and values, strip path separators, and verify the resolved output path is inside the intended data directory before writing.
If an untrusted or malicious trade name/symbol is logged, opening the generated report could execute injected script in the browser or expose report contents.
The generated HTML report runs JavaScript and embeds stored trade fields such as symbol/name directly into HTML without escaping.
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
...<tr><td>{t['symbol']} ({t['name']})</td>...Escape HTML fields, serialize JavaScript data with json.dumps, neutralize CSV/HTML formula/script payloads, and consider pinning or bundling Chart.js.
Portfolio and trade details may remain on disk across sessions and could be included in backups or local file sharing.
The skill persistently stores user trade history and generated reports in files under the skill directory.
TRADE_DB = os.path.join(os.path.dirname(os.path.abspath(__file__)), "trade_history.json") CSV_FILE = os.path.join(..., "Nikos_Islem_Gecmisi.csv") HTML_FILE = os.path.join(..., "Nikos_Portfoy_Analiz.html")
Only log financial data you are comfortable storing locally, and provide or document a clear way to delete trade_history.json, portfolio_alerts.json, CSV, and HTML reports.