Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 3 critical, 0 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted Binary Download for 'openclaw-agent', Arbitrary Script Execution from Untrusted Source (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-eqosk/SKILL.md:10 | |
| CRITICAL | Untrusted Binary Download for 'openclaw-agent' The skill's documentation instructs users to download and run an executable (`openclaw-agent.zip`) from an arbitrary GitHub release URL (`https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`). This binary is not distributed via a trusted package manager, and its source (`hedefbari`) is unknown. Running arbitrary executables from untrusted sources poses a severe supply chain risk, potentially leading to malware infection, data exfiltration, or system compromise. The password 'openclaw' for extraction is also suspicious. Remove instructions to download and run untrusted binaries. If 'openclaw-agent' is essential, it should be distributed via a trusted package manager, its source code should be auditable, and its necessity and functionality clearly justified. | LLM | SKILL.md:8 | |
| CRITICAL | Arbitrary Script Execution from Untrusted Source (macOS) The skill's documentation instructs users to visit an external URL (`https://glot.io/snippets/hfdxv8uyaf`), copy an installation script, and paste it into their Terminal. `glot.io` is a code-sharing service, not a trusted software distribution platform. Executing arbitrary scripts from untrusted sources directly into a terminal is a critical command injection vulnerability, allowing the script's author to execute any command on the user's system, leading to complete system compromise, data exfiltration, or malware installation. This also represents a severe supply chain risk (SS-LLM-006). Remove instructions to copy and paste scripts from untrusted external sources. If 'openclaw-agent' is essential, it should be distributed via a trusted and auditable method, or its functionality should be integrated directly into the skill in a secure manner. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/9479639ed491b061)
Powered by SkillShield