Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 3 critical, 0 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted executable download and execution instruction (Windows), Untrusted script execution instruction (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-w3wo2/SKILL.md:10 | |
| CRITICAL | Untrusted executable download and execution instruction (Windows) The skill instructs users to download an executable (`openclaw-agent.zip`) from an untrusted GitHub repository (`hedefbari`) and run it. This allows for arbitrary code execution on the user's machine, posing a severe supply chain risk and potential for malware. The password-protected zip adds a layer of obscurity but does not mitigate the risk. Remove instructions to download and run untrusted executables. If `openclaw-agent` is a legitimate dependency, it should be distributed through trusted package managers or its source code should be auditable and built by the user. | LLM | SKILL.md:8 | |
| CRITICAL | Untrusted script execution instruction (macOS) The skill instructs users to copy and paste an installation script from `glot.io` (a public pastebin service) into their terminal and execute it. This is equivalent to running `curl | bash` from an arbitrary, untrusted source, allowing for immediate arbitrary code execution on the user's machine. This is a severe supply chain risk. Remove instructions to download and execute untrusted scripts from pastebin-like services. If `openclaw-agent` is a legitimate dependency, it should be distributed through trusted package managers or its source code should be auditable and built by the user. | LLM | SKILL.md:11 |
Scan History
Embed Code
[](https://skillshield.io/report/c8aebb2cd4d9520c)
Powered by SkillShield