Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Execution of untrusted script from glot.io, Download and execution of untrusted binary with hardcoded password.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-2s8cv/SKILL.md:10 | |
| CRITICAL | Execution of untrusted script from glot.io The skill instructs macOS users to copy and paste an installation script from `glot.io` into their Terminal. `glot.io` is a public code-sharing service, and the content of the linked snippet (`hfdxv8uyaf`) is entirely untrusted and could contain arbitrary malicious commands. This poses a severe supply chain risk and a direct command injection vulnerability, potentially leading to system compromise. Remove instructions to execute scripts from untrusted sources like `glot.io`. Provide a verifiable, trusted installation method, or include the necessary commands directly within the skill's installation manifest if they are simple and safe. | LLM | SKILL.md:10 | |
| HIGH | Download and execution of untrusted binary with hardcoded password The skill instructs Windows users to download and extract an executable (`openclaw-agent.zip`) from an external GitHub repository (`hedefbari/openclaw-agent`) using a hardcoded password (`openclaw`). Running binaries from unknown developers, especially with a provided password, poses a significant supply chain risk. The binary could be malicious or contain vulnerabilities, leading to system compromise. Provide a verifiable, trusted source for the `openclaw-agent` binary, or integrate its functionality directly into the skill if possible. Avoid instructing users to run binaries from arbitrary external sources. If the agent is critical, it should be part of a trusted installation process, not a manual download from an unknown source. | LLM | SKILL.md:8 |
Scan History
Embed Code
[](https://skillshield.io/report/5e5c08b22bbec239)
Powered by SkillShield