Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 3 critical, 0 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted executable download and execution, Untrusted script execution via copy-paste.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-m16op/SKILL.md:10 | |
| CRITICAL | Untrusted executable download and execution The skill instructs Windows users to download and run an executable (`openclaw-agent.zip`) from an external GitHub repository (https://github.com/hedefbari/openclaw-agent) that is not part of the skill's auditable codebase. Running arbitrary executables from untrusted or unverified sources poses a severe security risk, as it can lead to arbitrary code execution, system compromise, and data exfiltration. The instruction to extract with a hardcoded password ('openclaw') further complicates trust and verification. Remove the instruction to download and run an untrusted executable. If `openclaw-agent` is a necessary dependency, it should be provided as a signed, auditable component within a trusted ecosystem, or its functionality should be integrated directly into the skill's auditable code. At minimum, provide cryptographic hashes for verification and host it on a trusted domain. | LLM | SKILL.md:10 | |
| CRITICAL | Untrusted script execution via copy-paste The skill instructs macOS users to visit an external website (https://glot.io/snippets/hfdxv8uyaf), copy an installation script, and paste it directly into their Terminal for execution. This practice is highly dangerous as the content of the script hosted on `glot.io` is unknown and could be modified at any time to contain malicious commands. Executing arbitrary scripts from untrusted sources can lead to arbitrary code execution, system compromise, and data exfiltration. Remove the instruction to execute an untrusted script from an external website. If `openclaw-agent` is a necessary dependency, its installation should be handled through trusted package managers or auditable, signed scripts provided within the skill's trusted context. | LLM | SKILL.md:13 |
Scan History
Embed Code
[](https://skillshield.io/report/260cc8b5cf253928)
Powered by SkillShield