Stock Tools
PassAudited by VirusTotal on May 2, 2026.
Overview
Type: OpenClaw Skill Name: us-stock-quote Version: 1.0.0 The skill bundle is a legitimate tool for retrieving US stock and cryptocurrency prices from Yahoo Finance and Binance. The script `scripts/yahoo_finance.py` uses standard HTTP requests and includes a hardcoded local proxy (127.0.0.1:7891) for connectivity, which is common for bypassing regional network restrictions and does not pose a security threat. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Ticker symbols queried by the user are sent to external finance APIs and through any local proxy listening on port 7891; Binance access may be unexpected if the user only expects Yahoo Finance.
The script routes requests through a hardcoded local proxy and may contact Binance for crypto symbols, while the skill description primarily advertises Yahoo Finance stock quote lookup.
PROXY = {
'http': 'http://127.0.0.1:7891',
'https': 'http://127.0.0.1:7891'
}
...
url = f'https://api.binance.com/api/v3/ticker/price?symbol={symbol}'Document all external endpoints and the proxy requirement, make the proxy configurable or optional, and validate or encode user-supplied symbols before building request URLs.
The script may fail if requests is not installed, or it will use whichever requests package is present in the user's Python environment.
The script relies on the third-party requests package, but the provided requirements and install spec do not declare dependencies. There is no automatic install behavior shown, so this is a documentation and environment-sourcing note.
import requests
Declare the Python dependency and, if installation is later added, pin packages to trusted sources and versions.