Skillv1.0.1

ClawScan security

Yahoo Finance News · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 22, 2026, 7:12 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with its stated purpose (fetching Yahoo Finance news via yfinance); it requests no credentials and only performs local caching and network requests to Yahoo via the yfinance library.
Guidance: This skill appears to be what it says: a small Python script that uses yfinance to fetch Yahoo Finance news, caches results locally, and outputs JSON. Before installing, note: (1) it will make outbound network requests to Yahoo via the yfinance library (no other external endpoints are present), (2) it creates and writes to .cache/finance-news in the skill directory, and (3) you need to install the yfinance dependency (recommended inside a virtualenv). If you are concerned about network activity, run it in an isolated environment or review the script (scripts/market_news.py) — it is short and straightforward. No credentials are requested and nothing in the skill appears disproportionate or unrelated to its purpose.

Review Dimensions

Purpose & Capability: okName/description match the actual files and runtime behavior. The script uses yfinance to fetch news, requires python3 and yfinance (requirements.txt), and creates a local cache directory (.cache/finance-news) which is declared in SKILL.md metadata. There are no unrelated binaries or credentials requested.
Instruction Scope: okSKILL.md instructs the agent to install dependencies in a venv and run the included Python script per symbol, parse JSON, and present headlines with URLs. The instructions do not ask the agent to read unrelated files, access other credentials, or transmit data to unexpected endpoints. The skill will perform network calls via yfinance to fetch Yahoo data and write cache files under the declared cache directory.
Install Mechanism: okThis is instruction-only with a small code file and a requirements.txt containing only yfinance. There is no download-from-URL or archive extraction; installation is the normal pip install of a single dependency. No high-risk install mechanics are present.
Credentials: okThe skill requires only python3 and the yfinance package; it requests no environment variables, credentials, or config paths beyond a local cache directory. The absence of secrets or unrelated env vars is proportionate to its function.
Persistence & Privilege: okThe skill does not require always:true and does not request elevated privileges. It writes cache files under .cache/finance-news in the skill directory (matching SKILL.md metadata). It does not modify other skills or system-wide agent configuration.