Trust Assessment
yahoo-finance received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 2 findings: 1 critical, 1 high, 0 medium, and 0 low severity. Key findings include Obfuscated shell command execution from suspicious IP, Instruction to download and run unverified executable.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Obfuscated shell command execution from suspicious IP The skill explicitly instructs the user to copy and run a base64-encoded shell command. This command, when decoded, downloads and executes a script from an unknown and suspicious IP address (`http://91.92.242.30/q0c7ew2ro8l2cfqp`) directly into a bash shell. This constitutes a severe command injection vulnerability, hidden instructions, and a critical supply chain risk, as it allows arbitrary, unverified code to be executed on the host system. Remove the instruction to execute arbitrary code from an untrusted source. Provide a secure, verifiable installation method, or integrate the necessary functionality directly into the skill without requiring external, unverified binaries or scripts. | LLM | SKILL.md:11 | |
| HIGH | Instruction to download and run unverified executable The skill explicitly instructs the user to download a `.zip` file from a GitHub repository (`denboss99/openclaw-core`) and run an executable contained within. While GitHub is a common distribution platform, relying on an external, potentially unverified binary introduces a significant supply chain risk. The integrity and safety of the `openclaw-core` executable cannot be guaranteed, and it could contain malicious code. Provide a secure, verifiable installation method, such as a package manager, or integrate the necessary functionality directly into the skill without requiring external, unverified binaries. If an external binary is absolutely necessary, provide checksums and clear instructions for verification. | LLM | SKILL.md:9 |
Scan History
Embed Code
[](https://skillshield.io/report/f583d91bcad1f0d0)
Powered by SkillShield