yahoo-finance
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides commands to install the 'uv' tool by executing scripts from its official domain (astral.sh) via shell and PowerShell.
- [COMMAND_EXECUTION]: Instructions include changing file permissions with 'chmod +x' and creating symbolic links for the CLI script.
- [PROMPT_INJECTION]: The skill processes user-provided ticker symbols and search terms, creating a surface for indirect prompt injection.
- Ingestion points: Stock ticker symbols and search strings processed by the 'yf' CLI script.
- Boundary markers: None identified in the provided documentation to delimit user input from instructions.
- Capability inventory: Executes a local Python script and performs network requests via the yfinance library.
- Sanitization: No sanitization or input validation logic is described in the available files.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata