Yfinance
PassAudited by ClawScan on May 10, 2026.
Overview
The skill’s Yahoo Finance purpose is coherent, but its optional installer fetches remote code and registers a persistent MCP tool, so users should review the install path before running it.
This appears to be a normal Yahoo Finance MCP skill with read-only market-data tools. The main caution is installation: install.sh downloads and installs remote code and updates your MCP/OpenClaw configuration. Review the GitHub source first, pin trusted versions where possible, and remove the mcporter/OpenClaw entries if you no longer want the tool available.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the upstream repository or installer changes or is compromised, the installed MCP server could differ from what was reviewed here.
The installer fetches and executes/install remote components that are not included in the provided artifact review. This is common for setup scripts, but it creates supply-chain trust in the GitHub repo, uv installer, and package dependencies.
git clone "$REPO_URL" "$CLONE_DIR" ... curl -LsSf https://astral.sh/uv/install.sh | sh ... "$UV_BIN" pip install -e "$PROJECT_DIR"
Before running install.sh, inspect the referenced repository, consider pinning to a specific commit or release, and run the installer from a least-privileged environment.
After installation, the yfinance MCP tools may remain available to the agent until the configuration or skill files are removed.
The installer persistently registers the yfinance MCP server and installs the skill file so future agent sessions can use it. This is expected installer behavior, not hidden persistence, but users should know it changes agent configuration.
config['mcpServers']['yfinance'] = { 'command': '$VENV_DIR/bin/yfin-mcp' } ... cp "$PROJECT_DIR/SKILL.md" "$SKILLS_DIR/SKILL.md"Only run the installer if you want persistent registration; review mcporter.json afterward, or use the documented SKIP_MCPORTER/SKIP_SKILL options if you only want a partial setup.