yahoo-finance
Warn
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
================================================================================
🟡 VERDICT: MEDIUM
This skill presents a MEDIUM security risk primarily due to its reliance on downloading and executing unverified external scripts, and instructing the user to make an unprovided script executable and globally accessible.
Total Findings: 2
🟡 MEDIUM Findings: • Unverifiable Dependency & Command Execution
- Line 20: The skill instructs the user to install 'uv' by directly piping a script from 'https://astral.sh/uv/install.sh' to 'sh' (or 'install.ps1' via 'iex' on Windows). This method executes arbitrary code downloaded from an external source ('astral.sh' is not a trusted domain) without prior review, posing a significant risk of arbitrary command execution. • Unverified Script Execution
- Line 44: The skill instructs the user to make an unprovided script named 'yf' executable (
chmod +x) and to create a symlink to it in/usr/local/bin(ln -sf). Since the 'yf' script itself is not part of the provided files for analysis, its contents are unknown and unverified. Making an unknown script globally executable introduces a security vulnerability, as a malicious 'yf' script could be executed with potentially elevated privileges.
================================================================================
Audit Metadata