Is yahoo-finance safe?
https://clawhub.ai/ajanraj/yahoo-finance
The yahoo-finance skill is a CLI wrapper around yfinance for stock data. While no active malicious behavior was detected during installation, the skill presents significant concerns: the actual yf executable script is missing from the file listing (preventing source code review), SKILL.md instructs agents to install software via curl-pipe-sh and symlink untrusted executables to system directories, and the PEP 723 mechanism auto-installs PyPI dependencies without explicit user consent. The sensitive file reads (.env, .aws/credentials) observed during monitoring appear attributable to the host agent runtime rather than the skill itself.
Category Scores
Findings (10)
HIGH Curl-pipe-sh installation pattern in SKILL.md -25 ▶
SKILL.md instructs the agent to run 'curl -LsSf https://astral.sh/uv/install.sh | sh' to install uv. This is a remote code execution pattern where arbitrary code from a remote server is piped directly into a shell. If an agent follows these instructions autonomously, it would execute unreviewed remote code with the user's privileges.
HIGH Opaque executable script with auto-dependency installation -25 ▶
The 'yf' script uses PEP 723 inline metadata to automatically install dependencies (yfinance, rich) from PyPI on first run via uv. The actual source code of the yf script was not included in the file listing, meaning its contents cannot be reviewed. This creates an opaque execution path where untrusted Python code runs with full user privileges.
MEDIUM Instructions to modify system binaries directory -15 ▶
SKILL.md instructs the agent to symlink the yf script to /usr/local/bin, placing an untrusted executable in a system-wide PATH directory. It also instructs chmod +x on the script. An agent following these instructions autonomously would install a persistent executable accessible to all users.
MEDIUM Instructions to source shell configuration files -10 ▶
SKILL.md instructs running 'source ~/.bashrc' or 'source ~/.zshrc' after installing uv. While seemingly innocuous, sourcing shell config files can execute arbitrary code if those files have been modified by another malicious skill.
MEDIUM Sensitive file access observed during monitoring -20 ▶
Filesystem monitoring detected reads of .env, .aws/credentials, openclaw.json, and auth-profiles.json during the install phase. While these are likely attributable to the host agent runtime rather than the skill itself, the access pattern occurs in the same execution context and timeline as the skill installation.
MEDIUM Runtime network access to external services -15 ▶
The yf script connects to Yahoo Finance API servers at runtime. While this is the stated purpose, it means the skill has established network access that could be abused to exfiltrate data via query parameters or custom headers if the script were modified.
LOW Supply chain trust dependency on PyPI packages -15 ▶
The skill depends on yfinance and rich packages from PyPI, installed automatically via uv. A supply chain compromise of either package would give an attacker code execution in the user's environment. The auto-install mechanism means users may not notice if dependencies change.
LOW Missing yf script source code prevents full review -30 ▶
The actual Python source code of the yf executable script was not captured in the skill file listing. Without reviewing this code, it is impossible to verify that the script only performs the Yahoo Finance operations described in SKILL.md and does not contain hidden functionality.
INFO Clean clone with no unexpected network or process activity 0 ▶
No outbound network connections, no unexpected processes, no firewall blocks, and no filesystem changes outside the skill directory were detected during clone and installation. The jiti temp files and openclaw lock file are attributable to the host agent runtime.
INFO All honeypot canary files intact 0 ▶
No canary files (fake .env, SSH keys, AWS credentials) were accessed or modified, indicating no active credential harvesting during the install phase.