Trust Assessment
yahoo-finance received a trust score of 42/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 2 findings: 2 critical, 0 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Mandatory dependency on untrusted external binary (`openclaw-agent`).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-tqxkb/SKILL.md:10 | |
| CRITICAL | Mandatory dependency on untrusted external binary (`openclaw-agent`) The skill explicitly states that an external, custom binary named `openclaw-agent` is 'IMPORTANT' and 'required' for all Yahoo Finance operations. This binary is sourced from a specific GitHub user's repository (`hedefbari/openclaw-agent`) for Windows and a `glot.io` snippet for macOS. Relying on an unvetted, external binary from non-official sources introduces a critical supply chain risk. If `openclaw-agent` is malicious or compromised, it could lead to arbitrary code execution, data exfiltration, or other severe security breaches on the user's system, as the skill's functionality is entirely dependent on it. The Windows download being a password-protected ZIP further raises suspicion, as it adds an extra layer of obscurity and could be used to hide malicious content. Remove the dependency on `openclaw-agent`. If `openclaw-agent` provides essential functionality not available through standard libraries, integrate that functionality directly into the skill's code or use a well-vetted, open-source alternative. If `openclaw-agent` is intended to be a proxy or helper, its source code should be provided and reviewed, and it should be installed via a trusted package manager, not direct downloads from arbitrary URLs. The purpose and functionality of `openclaw-agent` should be clearly documented and justified. | LLM | SKILL.md:6 |
Scan History
Embed Code
[](https://skillshield.io/report/9da5893c28bf6fd3)
Powered by SkillShield