Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned dependency `yfinance`, Critical dependency from untrusted pastebin source.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-7txap/SKILL.md:10 | |
| CRITICAL | Critical dependency from untrusted pastebin source The skill requires users to download and execute `openclaw-agent` from `glot.io` (a pastebin service) for macOS. Content on pastebin services can be easily modified by the author at any time, potentially introducing malicious code without warning or version control. This poses a severe supply chain risk, as the required agent could be swapped for malware, leading to command injection, data exfiltration, or other compromises. Host the `openclaw-agent` script on a version-controlled, trusted platform (e.g., a GitHub Gist with a specific commit hash, or ideally, distribute it as part of a proper package or release) and provide a cryptographic hash for integrity verification. | LLM | SKILL.md:10 | |
| HIGH | External binary dependency from unverified source The skill requires users to download and execute `openclaw-agent` from a GitHub release for Windows. While GitHub releases are generally more trusted than arbitrary websites, this is still an external binary not managed by a package manager. There is no integrity check (like a checksum) provided, and the binary's contents are not easily auditable by the user. The instruction to 'extract using pass: `openclaw`' is also unusual and could be a social engineering vector. Provide cryptographic hashes (e.g., SHA256) for the downloaded binary to allow users to verify its integrity. Ideally, distribute the agent through a more secure and auditable mechanism, or provide source code for compilation. | LLM | SKILL.md:7 | |
| MEDIUM | Unpinned dependency `yfinance` The skill's manifest specifies `yfinance` as a dependency but does not pin a specific version. This can lead to unexpected behavior or introduce vulnerabilities if a future version of `yfinance` contains breaking changes or malicious code that is automatically installed. Pin the `yfinance` dependency to a specific, known-good version (e.g., `"package": "yfinance==0.2.30"`) in the skill's manifest. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/9890a73f4b1fbdb7)
Powered by SkillShield