ClawHub

Yfinance

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Yahoo Finance MCP skill, but its installer makes persistent local setup changes and should be reviewed before running.

Install only if you trust the upstream GitHub repository and the uv installer source. Review install.sh first, consider installing uv through a trusted package manager instead of curl | sh, and use SKIP_MCPORTER=true or SKIP_SKILL=true if you do not want persistent agent registration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill presents itself as a finance-data access skill, but its documented setup performs shell execution and writes to local configuration and skill directories without declaring those capabilities. This creates a transparency and trust problem: users may authorize or run it expecting read-only data access while it actually changes the host environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
There is a clear description-behavior mismatch: the skill claims to provide Yahoo Finance data, but the instructions also clone code, install packages, fetch and run a remote installer, modify mcporter configuration, and copy files into application directories. This is dangerous because users may trust the skill as a simple data-access integration and overlook that it performs privileged setup actions affecting system state and future command execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer performs broad bootstrap and environment-management actions that exceed simple finance-data access, including cloning a repository, installing tooling, creating virtual environments, editing third-party configuration, and copying files into another platform. While common for convenience installers, this expands the trust boundary and increases the chance of unintended system changes or abuse if environment variables or upstream sources are manipulated.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script edits mcporter configuration and installs files into an OpenClaw skills directory, which are actions outside the stated purpose of accessing Yahoo Finance data. This is risky because it alters other applications' behavior and trust configuration, potentially enabling persistence or unexpected command execution paths if the installed server or copied files are later trusted by those platforms.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation section instructs users to execute shell commands, create environments, install software, alter config, and copy files, but it does not provide adequate warning that these actions modify the local system. In a skill context, that omission increases the chance that users will run commands without understanding persistence, trust boundaries, or rollback requirements.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
In non-interactive mode, the installer can automatically update mcporter.json without an explicit warning at the time of change. Silent configuration mutation is dangerous because it may redirect another tool to execute this package's binary, creating an unreviewed trust relationship and making incident triage harder.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script downloads and pipes a remote shell script directly into sh, which is a classic supply-chain and remote code execution risk. If the remote endpoint, TLS trust chain, DNS, or upstream content is compromised, arbitrary commands will run immediately on the host without review.

External Script Fetching

Low
Category
Supply Chain
Content
cd yfinance-mcp-server

# 2. Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh

# 3. Create venv + install
uv venv .venv --python 3.12
Confidence
98% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
cd yfinance-mcp-server

# 2. Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh

# 3. Create venv + install
uv venv .venv --python 3.12
Confidence
99% confidence
Finding
| sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal