Yahoo Finance CLI
Security checks across malware telemetry and agentic risk
Overview
This is a straightforward Yahoo Finance command wrapper; its package install, system-path symlink, and cookie cache are worth noticing, but the artifacts do not show hidden or destructive behavior.
This skill appears suitable for read-only Yahoo Finance lookups. Before installing, review the npm dependency, the `/usr/local/bin/yf` symlink step, and the local cookie file behavior so you understand what will be added to your system.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install or update third-party npm code used to fetch Yahoo Finance data.
The skill depends on an external npm package without a pinned version in the supplied install spec. That is expected for a CLI wrapper, but users should recognize that behavior comes from the installed package.
node | package: yahoo-finance2 | creates binaries: yahoo-finance
Install only if you trust the `yahoo-finance2` package source and prefer using a pinned version or reviewed package source when possible.
The install step can add a new executable name to your system command path.
The install instructions create a command symlink in `/usr/local/bin` so the tool can be invoked as `yf`. This is a scoped setup action, but it modifies the local command path and may require elevated permissions.
sudo ln -s /opt/homebrew/bin/yahoo-finance /usr/local/bin/yf
Review the symlink target before running the command, and remove `/usr/local/bin/yf` if you later uninstall or no longer want the alias.
The CLI may leave Yahoo Finance cookie state on disk between uses.
The skill discloses that the Yahoo Finance CLI stores cookie state in the user's home directory. This appears purpose-aligned for the data provider, but cookie/session-like state is still sensitive enough for users to notice.
Cookies: The tool automatically handles cookies (stored in `~/.yf2-cookies.json`).
Be comfortable with the local cookie cache before installing; delete `~/.yf2-cookies.json` if you want to reset the tool's stored Yahoo Finance state.