Yahoo Finance CLI
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: yahoo-finance-cli Version: 1.0.0 The OpenClaw skill 'yahoo-finance-cli' is classified as benign. Its purpose is to fetch financial data from Yahoo Finance, which is clearly aligned with its stated goal. Installation uses standard package managers (Homebrew for `jq`, npm for `yahoo-finance2`) and creates a symbolic link, all common practices. The only potentially risky command, `rm -f ~/.yf2-cookies.json`, is explicitly for troubleshooting a cookie file created by the skill itself, not for arbitrary file deletion or system compromise. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts to subvert the agent's behavior for harmful purposes.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may install or update third-party npm code used to fetch Yahoo Finance data.
The skill depends on an external npm package without a pinned version in the supplied install spec. That is expected for a CLI wrapper, but users should recognize that behavior comes from the installed package.
node | package: yahoo-finance2 | creates binaries: yahoo-finance
Install only if you trust the `yahoo-finance2` package source and prefer using a pinned version or reviewed package source when possible.
The install step can add a new executable name to your system command path.
The install instructions create a command symlink in `/usr/local/bin` so the tool can be invoked as `yf`. This is a scoped setup action, but it modifies the local command path and may require elevated permissions.
sudo ln -s /opt/homebrew/bin/yahoo-finance /usr/local/bin/yf
Review the symlink target before running the command, and remove `/usr/local/bin/yf` if you later uninstall or no longer want the alias.
The CLI may leave Yahoo Finance cookie state on disk between uses.
The skill discloses that the Yahoo Finance CLI stores cookie state in the user's home directory. This appears purpose-aligned for the data provider, but cookie/session-like state is still sensitive enough for users to notice.
Cookies: The tool automatically handles cookies (stored in `~/.yf2-cookies.json`).
Be comfortable with the local cookie cache before installing; delete `~/.yf2-cookies.json` if you want to reset the tool's stored Yahoo Finance state.