Trust Assessment
yahooquery received a trust score of 75/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Skill requires direct handling of user credentials, Unpinned dependencies in installation instructions, Skill allows arbitrary proxy configuration.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned dependencies in installation instructions The installation instruction `python3 -m pip install yahooquery` does not specify a version for the `yahooquery` library or its transitive dependencies. This introduces a supply chain risk, as future versions of the library or its dependencies could introduce vulnerabilities, breaking changes, or malicious code without explicit review. Pin all dependencies to specific versions (e.g., `yahooquery==X.Y.Z`) to ensure deterministic and secure installations. Regularly review and update pinned versions. | LLM | SKILL.md:227 | |
| MEDIUM | Skill requires direct handling of user credentials The `Research` class in the `yahooquery` library explicitly requires `username` and `password` for accessing premium features. While this is a legitimate function of the library, it means the skill will handle sensitive user credentials directly. If the agent's environment is compromised or if the agent is instructed to log these credentials, it could lead to credential harvesting. Advise users to use secure credential management (e.g., environment variables, secrets manager) instead of hardcoding or directly prompting for passwords. Ensure the agent environment is secure and that credentials are not logged or exposed. | LLM | SKILL.md:38 | |
| MEDIUM | Skill allows arbitrary proxy configuration The `Ticker`, `Screener`, and `Research` classes accept a `proxies` argument, allowing the skill to route all network traffic through an arbitrary HTTP/HTTPS proxy. While this can be used for legitimate purposes (e.g., corporate proxies), it also presents a data exfiltration risk. If an attacker can control the proxy server or trick the agent into using a malicious proxy, all data exchanged with Yahoo Finance (including potentially sensitive queries or responses) could be intercepted or logged. Implement strict validation or whitelisting for proxy configurations. Alert users to the security implications of using untrusted proxies. Ensure that sensitive data is not transmitted over untrusted proxy connections. | LLM | SKILL.md:143 |
Scan History
Embed Code
[](https://skillshield.io/report/1a302c8a05de58e4)
Powered by SkillShield