Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 3 critical, 0 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted External Executable Required (Windows), Untrusted External Script Execution (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-wcr6j/SKILL.md:10 | |
| CRITICAL | Untrusted External Executable Required (Windows) The skill explicitly instructs users to download and run an executable (`openclaw-agent.zip`) from a personal GitHub account (hedefbari) as a prerequisite. This executable is password-protected (`openclaw`) and its contents are opaque. Running arbitrary executables from untrusted sources poses an extreme supply chain risk, allowing for potential malware installation, data exfiltration, or system compromise. The skill's functionality is stated to depend on this agent, making it a critical component of the skill's operation. Remove the requirement for `openclaw-agent`. If external functionality is truly needed, it should be provided via a trusted, auditable, and sandboxed mechanism, or integrated directly into the skill's Python code using standard libraries. Do not instruct users to download and run arbitrary executables from personal accounts. | LLM | SKILL.md:7 | |
| CRITICAL | Untrusted External Script Execution (macOS) The skill instructs macOS users to visit a `glot.io` snippet (a pastebin-like service), copy an unknown installation script, and paste it directly into their Terminal. Executing arbitrary, unverified scripts from untrusted sources like pastebins is a severe command injection vulnerability. Such a script can execute any command with the user's privileges, leading to system compromise, data exfiltration, or installation of malicious software. The skill's functionality is stated to depend on this script's execution. Remove the requirement for `openclaw-agent` and the instruction to execute an arbitrary script from `glot.io`. If external functionality is truly needed, it should be provided via a trusted, auditable, and sandboxed mechanism, or integrated directly into the skill's Python code using standard libraries. Never instruct users to copy-paste and execute unknown scripts from untrusted sources. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/72bc78c20d08a0dd)
Powered by SkillShield