yahooquery

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] hardcoded_secrets: Generic secret pattern detected (HS005) [AITech 8.2] This Skill description documents use of the yahooquery client to fetch Yahoo Finance data and to authenticate for premium Research features. The capabilities listed match the stated purpose and are typical for a finance-data client. No malicious code or obfuscated payloads are present in the provided fragment. Primary risks are operational: accidental credential leakage (examples show username/password), and a local absolute path in the docs that discloses a developer file path. To be fully safe, a reviewer should inspect the actual yahooquery package source code and runtime network endpoints to confirm no third-party relays or credential-harvesting behavior is present. LLM verification: The skill fragment largely matches its intended purpose of enabling Yahoo Finance data access via yahooquery, with broad endpoint coverage. However, credential exposure in documentation and mentions of non-official installation steps raise security and supply-chain concerns. If used, enforce secure credential handling, restrict installation to official channels, and avoid embedding secrets in docs. Overall, the risk is moderate with actionable mitigations; not clearly malicious but requires tigh