Is yahoo-finance-cli safe?

https://clawhub.ai/stuhorsman/yahoo-finance-cli

72
CAUTION

This Yahoo Finance CLI skill is a documentation-only skill that instructs an LLM agent to use the 'yf' command-line tool for stock data. It contains no malicious prompt injection or hidden instructions. However, it presents moderate risk through its install metadata which includes an arbitrary shell command execution step with command substitution, sudo privilege escalation in its install instructions, and potential shell injection vectors when the agent constructs commands with user-supplied stock symbols. Sensitive file access (.env, .aws/credentials) was observed during the audit, though this appears to be from the OpenClaw runtime rather than the skill itself.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (9)

HIGH Arbitrary shell command in install metadata -30

The skill's metadata contains a 'kind:exec' install step that runs 'ln -sf $(npm bin -g)/yahoo-finance /usr/local/bin/yf'. The $(npm bin -g) command substitution executes arbitrary shell code during installation. If the npm global bin path is compromised or if the yahoo-finance binary is malicious, this creates a persistent backdoor at /usr/local/bin/yf.

HIGH Sudo privilege escalation in install instructions -25

The SKILL.md install section instructs users to run 'sudo ln -s /opt/homebrew/bin/yahoo-finance /usr/local/bin/yf', requesting root-level access to create a symlink in a system directory. This normalizes privilege escalation for a stock-checking tool.

MEDIUM Sensitive file access observed during clone/install -25

Filesystem monitoring detected reads of .env, .aws/credentials, and OpenClaw auth-profiles.json during the audit. While these appear to originate from the OpenClaw runtime rather than the skill itself, the skill's presence triggered this runtime activity. The .aws/credentials file was opened and read.

MEDIUM Cookie file persistence in user home directory -10

The skill documents that yahoo-finance2 stores cookies at ~/.yf2-cookies.json. This creates a persistent tracking file in the user's home directory that could be used to correlate sessions or leak session data.

MEDIUM Shell injection risk via stock symbol input -20

The skill instructs the agent to construct shell commands like 'yf quote AAPL'. If an agent naively interpolates user input into these commands without sanitization, a malicious user could inject shell commands via a crafted 'symbol' argument (e.g., 'AAPL; rm -rf /').

MEDIUM Third-party npm dependency supply chain risk -10

The skill requires global installation of the yahoo-finance2 npm package, which brings in a full dependency tree. Global npm packages execute with user-level permissions and can include preinstall/postinstall hooks that run arbitrary code.

LOW Broad trigger phrase matching -10

The skill description uses broad trigger phrases ('get financial data', 'find trending stocks') that could cause the skill to activate in unintended contexts, potentially intercepting queries meant for other tools or skills.

INFO Jiti temp files created during runtime -5

Multiple jiti (JIT compilation) cache files were created in /tmp/jiti/ during the audit. This is expected behavior for the OpenClaw runtime environment but creates temporary executable code on disk.

INFO Lock file created in /tmp -5

A gateway lock file was created at /tmp/openclaw-1000/gateway.e9191928.lock during the audit, which is standard OpenClaw runtime behavior.