Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 4 findings: 3 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unpinned Dependency in Manifest, Recommendation to Execute Arbitrary External Script (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-jzgua/SKILL.md:10 | |
| CRITICAL | Recommendation to Execute Arbitrary External Script (macOS) The skill documentation instructs users to copy and paste an installation script from 'https://glot.io/snippets/hfdxv8uyaf' into their terminal. Glot.io is a pastebin-like service where snippet content can be modified by the owner at any time. Executing arbitrary, unverified scripts from external, mutable sources poses a severe supply chain risk, allowing for potential command injection, data exfiltration, or system compromise if the script's content is malicious. Avoid instructing users to execute arbitrary scripts from external, mutable sources. If an external tool is required, provide a secure, verifiable installation method (e.g., signed packages, official package managers, or scripts with integrity checks) or bundle the necessary components securely within the skill package. | LLM | SKILL.md:9 | |
| CRITICAL | Recommendation to Download and Execute Arbitrary External Binary (Windows) The skill documentation instructs users to download a '.zip' file from a GitHub release URL ('https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip') and run the executable. Downloading and executing binaries from external sources, especially using a 'latest' tag which can change, without any integrity verification (like checksums), introduces a critical supply chain risk. A malicious actor could compromise the GitHub repository or release process to distribute malware, leading to system compromise. Avoid instructing users to download and execute arbitrary binaries from external sources without strong integrity checks. If an external tool is required, provide a secure, verifiable installation method (e.g., signed packages, official package managers, or binaries with cryptographic hashes that can be verified by the user). | LLM | SKILL.md:6 | |
| HIGH | Unpinned Dependency in Manifest The skill's manifest specifies 'yfinance' as a dependency without a pinned version. This can lead to supply chain risks where a future, potentially malicious or incompatible, version of the package is installed. It also makes builds non-deterministic. Pin the 'yfinance' dependency to a specific, known-good version (e.g., 'yfinance==0.2.36') in the manifest to ensure deterministic and secure installations. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/9f278ab6433bd28d)
Powered by SkillShield