Skills
skills/openclaw/skills/yahooquery/Gen Agent Trust Hub

yahooquery

Warn

Audited by Gen Agent Trust Hub on Feb 14, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires installing the yahooquery package and its dependencies (pandas, requests-futures, tqdm, beautifulsoup4, lxml) from PyPI. While these are common libraries, PyPI is not an automatically trusted source under the defined security framework.\n- [COMMAND_EXECUTION] (LOW): The documentation includes instructions to execute python3 -m pip install to set up the required environment.\n- [PROMPT_INJECTION] (MEDIUM): Category 8: Indirect Prompt Injection surface identified. The skill ingests untrusted data from Yahoo Finance endpoints.\n
  • Ingestion points: Ticker.news(), Ticker.technical_insights(), and Research.reports().\n
  • Boundary markers: Absent; data is retrieved and processed as raw strings or DataFrames.\n
  • Capability inventory: Network requests to external Yahoo Finance APIs.\n
  • Sanitization: No evidence of sanitization or filtering for embedded instructions in the retrieved news or research content.\n- [CREDENTIALS_UNSAFE] (LOW): documentation examples in SKILL.md and references/advanced.md suggest passing raw password strings to the Research class. While the examples use placeholders, this practice can lead to hardcoded credentials in user scripts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 14, 2026, 02:12 PM