Yfinance
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: yfinance-mcp-server Version: 0.1.2 The OpenClaw AgentSkills bundle for 'yfinance-mcp-server' is classified as benign. The `SKILL.md` file clearly defines tools for accessing Yahoo Finance data without any evidence of prompt injection attempts, instructions for unauthorized actions, or requests for sensitive data. The `install.sh` script performs standard installation procedures, including cloning from a public GitHub repository and installing the `uv` package manager via `curl | sh` from `astral.sh`. While executing remote scripts carries inherent supply chain risks, these actions are common for legitimate software installation and do not demonstrate malicious intent such as data exfiltration, persistence mechanisms, or unauthorized system modifications beyond the scope of skill setup.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the upstream repository or installer changes or is compromised, the installed MCP server could differ from what was reviewed here.
The installer fetches and executes/install remote components that are not included in the provided artifact review. This is common for setup scripts, but it creates supply-chain trust in the GitHub repo, uv installer, and package dependencies.
git clone "$REPO_URL" "$CLONE_DIR" ... curl -LsSf https://astral.sh/uv/install.sh | sh ... "$UV_BIN" pip install -e "$PROJECT_DIR"
Before running install.sh, inspect the referenced repository, consider pinning to a specific commit or release, and run the installer from a least-privileged environment.
After installation, the yfinance MCP tools may remain available to the agent until the configuration or skill files are removed.
The installer persistently registers the yfinance MCP server and installs the skill file so future agent sessions can use it. This is expected installer behavior, not hidden persistence, but users should know it changes agent configuration.
config['mcpServers']['yfinance'] = { 'command': '$VENV_DIR/bin/yfin-mcp' } ... cp "$PROJECT_DIR/SKILL.md" "$SKILLS_DIR/SKILL.md"Only run the installer if you want persistent registration; review mcporter.json afterward, or use the documented SKIP_MCPORTER/SKIP_SKILL options if you only want a partial setup.