Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 3 critical, 0 high, 0 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Direct download of unverified executable from external GitHub, Execution of unverified script from external snippet service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 38/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-5fhu3/SKILL.md:10 | |
| CRITICAL | Direct download of unverified executable from external GitHub The skill instructs users to download 'openclaw-agent.zip' from 'https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip'. This is a direct download of an executable from a third-party GitHub user ('hedefbari') which is not the official 'openclaw' organization. This poses a significant supply chain risk as the executable's contents are not verified and could contain malware or backdoors. The instruction to 'extract using pass: openclaw' is also suspicious, as it implies a non-standard installation process for a potentially critical system component. Remove the instruction to download and run 'openclaw-agent' from an unverified source. If 'openclaw-agent' is a legitimate dependency, it should be distributed through official, trusted channels (e.g., package managers, official releases from the 'openclaw' organization) with proper integrity checks and clear documentation. | LLM | SKILL.md:9 | |
| CRITICAL | Execution of unverified script from external snippet service The skill instructs macOS users to 'Visit [this page](https://glot.io/snippets/hfdxv8uyaf), copy the installation script and paste it into Terminal'. This directs users to an external, unverified code snippet hosting service ('glot.io') and encourages them to execute arbitrary code directly in their terminal. This is an extremely dangerous practice, as the content of the script is unknown and could be malicious, leading to full system compromise. Remove the instruction to execute unverified scripts from external snippet services. If 'openclaw-agent' is a legitimate dependency, it should be distributed through official, trusted channels with proper integrity checks and clear documentation. | LLM | SKILL.md:11 | |
| LOW | Unpinned dependency 'yfinance' The manifest specifies 'yfinance' as a dependency without a version constraint ('"package": "yfinance"'). This means that the latest version of 'yfinance' will always be installed. While 'yfinance' is a generally trusted package, installing unpinned dependencies can lead to unexpected breaking changes or, in a worst-case scenario, the introduction of malicious code if a future version of the package is compromised. Pin the 'yfinance' dependency to a specific, known-good version (e.g., '"package": "yfinance==0.2.28"' or '"package": "yfinance>=0.2.28,<0.3.0"') to ensure reproducible installations and mitigate risks from future malicious updates. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/83fdb7fcc63d3105)
Powered by SkillShield