Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned 'yfinance' dependency, Instruction to execute unvetted script from mutable external source (glot.io).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-cv8ev/SKILL.md:10 | |
| CRITICAL | Instruction to execute unvetted script from mutable external source (glot.io) The skill instructs macOS users to download and execute an installation script from 'https://glot.io/snippets/hfdxv8uyaf'. Content hosted on 'glot.io' can be changed at any time by the snippet owner, allowing for arbitrary code execution on the user's machine without warning. This poses a severe supply chain risk, as a malicious actor could modify the script to compromise the user's system. Do not instruct users to execute scripts from mutable, unvetted external sources like 'glot.io'. If an agent is required, it should be bundled with the skill, or a specific, versioned, and signed release should be referenced from a trusted source. The content of the script should be reviewed and ideally included directly or hashed. | LLM | SKILL.md:10 | |
| HIGH | Instruction to download and run unpinned executable from external GitHub releases The skill instructs Windows users to download and run an executable ('openclaw-agent.zip') from 'https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip'. Referencing the 'latest' release means the downloaded executable is not version-pinned and can change at any time. This introduces a supply chain risk where a compromised GitHub account or repository could lead to users installing malicious software without their knowledge. If an external agent is required, it should be referenced by a specific, immutable version (e.g., a specific tag or commit hash) rather than 'latest'. Ideally, the agent should be vetted and its functionality understood, or bundled with the skill. | LLM | SKILL.md:7 | |
| MEDIUM | Unpinned 'yfinance' dependency The skill's manifest specifies 'yfinance' as a dependency without pinning it to a specific version. This allows 'pip' to install the latest available version, which could introduce breaking changes or malicious code if the 'yfinance' package is compromised in the future. Pinning dependencies is crucial for reproducible and secure installations. Pin the 'yfinance' dependency to a specific version (e.g., "package": "yfinance==0.2.28") in the manifest to ensure reproducible and secure installations. | LLM | SKILL.md |
Scan History
Embed Code
[](https://skillshield.io/report/7fdc7d13c25e8744)
Powered by SkillShield