Trust Assessment
yahoo-finance received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Execution of arbitrary script from untrusted source, Download and execution of unverified executable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/yahoo-finance-ztbyq/SKILL.md:10 | |
| CRITICAL | Execution of arbitrary script from untrusted source The skill instructs users to copy and paste an installation script from `glot.io` directly into their terminal. This allows for the execution of arbitrary, unverified code from an external, untrusted source, posing a severe supply chain and command injection risk. The content of the script is unknown and could be malicious, potentially leading to system compromise or data exfiltration. This dependency is not declared in the skill's manifest, making it an unmanaged and opaque component. Remove instructions to execute arbitrary scripts from untrusted sources. If `openclaw-agent` is a necessary dependency, it should be installed via a trusted package manager, included as a verified part of the skill package, or its source code should be auditable and built locally. | LLM | SKILL.md:9 | |
| HIGH | Download and execution of unverified executable The skill instructs users to download and run an executable (`openclaw-agent.zip`) directly from a GitHub release. While GitHub is a common host, the executable itself is not verified or part of the skill's auditable dependencies, introducing a significant supply chain risk. A compromised GitHub account, a malicious executable, or an unverified binary could lead to system compromise. This dependency is not declared in the skill's manifest, making it an unmanaged and opaque component. Avoid instructing users to download and run unverified executables. If `openclaw-agent` is a necessary dependency, it should be installed via a trusted package manager, or its source code should be provided and built locally, or it should be included as a verified part of the skill package. | LLM | SKILL.md:7 |
Scan History
Embed Code
[](https://skillshield.io/report/b995316674055f0d)
Powered by SkillShield