Yahoo Finance CLI
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install or update third-party npm code used to fetch Yahoo Finance data.
The skill depends on an external npm package without a pinned version in the supplied install spec. That is expected for a CLI wrapper, but users should recognize that behavior comes from the installed package.
node | package: yahoo-finance2 | creates binaries: yahoo-finance
Install only if you trust the `yahoo-finance2` package source and prefer using a pinned version or reviewed package source when possible.
The install step can add a new executable name to your system command path.
The install instructions create a command symlink in `/usr/local/bin` so the tool can be invoked as `yf`. This is a scoped setup action, but it modifies the local command path and may require elevated permissions.
sudo ln -s /opt/homebrew/bin/yahoo-finance /usr/local/bin/yf
Review the symlink target before running the command, and remove `/usr/local/bin/yf` if you later uninstall or no longer want the alias.
The CLI may leave Yahoo Finance cookie state on disk between uses.
The skill discloses that the Yahoo Finance CLI stores cookie state in the user's home directory. This appears purpose-aligned for the data provider, but cookie/session-like state is still sensitive enough for users to notice.
Cookies: The tool automatically handles cookies (stored in `~/.yf2-cookies.json`).
Be comfortable with the local cookie cache before installing; delete `~/.yf2-cookies.json` if you want to reset the tool's stored Yahoo Finance state.