Back to skill
Skillv1.0.0
ClawScan security
yfinance-client · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 2:49 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a straightforward wrapper around the yfinance library for fetching US/HK stock data; it requests no credentials, has no install script, and its code and instructions align with its stated purpose.
- Guidance
- This skill appears coherent and implements a yfinance wrapper. Before installing: (1) ensure your Python environment has yfinance and pandas (SKILL.md suggests pip install yfinance pandas); (2) be aware the client makes network requests to Yahoo Finance (so queries may be visible to that service and are subject to rate limits/delays); (3) you don't need to provide any API keys or secrets—do not add unrelated credentials; (4) if you operate in a restricted environment, run the skill in a controlled venv or network policy to limit outbound traffic. Note: the code is simple and not requesting sensitive access, but keep packages up to date and review third-party dependencies for vulnerabilities as part of normal risk management.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md examples, and the included client.py all align: this is a yfinance wrapper exposing price, history, financials, screeners, options, and related queries. There are no unrelated dependencies or requested credentials.
- Instruction Scope
- okSKILL.md only describes using the client and suggests installing yfinance and pandas. It does not instruct the agent to read unrelated files, environment variables, or post data to unexpected endpoints.
- Install Mechanism
- noteThere is no formal install spec (instruction-only). SKILL.md suggests pip install yfinance pandas; because the skill contains runnable Python code that depends on those packages, the runtime environment must have them installed. This is a usability note rather than a security concern.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The functionality (network calls to Yahoo via yfinance) is proportional to the stated purpose. No secrets are requested or referenced.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. Autonomous invocation is allowed (platform default) but not combined with other red flags.