yahoo-finance
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Provides instructions for installing the 'uv' package manager by downloading and executing a shell script from 'astral.sh'. While the automated scanner identifies this as a piped-to-shell pattern, 'astral.sh' is the official domain for the well-known Astral project, and this is a standard installation method for the tool.
- [EXTERNAL_DOWNLOADS]: Fetches installation scripts for the 'uv' utility from the official 'astral.sh' domain to facilitate tool setup.
- [COMMAND_EXECUTION]: Includes user instructions for modifying file permissions via 'chmod +x' and creating a symbolic link in '/usr/local/bin/'. It also provides instructions to bypass PowerShell execution policies to allow the installation of the 'uv' tool on Windows.
- [PROMPT_INJECTION]: The skill processes external data in the form of stock symbols and search queries. This represents a potential ingestion point for indirect prompt injection, though the risk is assessed as low. 1. Ingestion points: Stock ticker symbols and search terms provided as arguments to the 'yf' CLI script. 2. Boundary markers: No boundary markers or 'ignore' instructions are described in the documentation. 3. Capability inventory: The skill performs network requests to the Yahoo Finance API via 'yfinance' and uses 'rich' for terminal output. 4. Sanitization: No sanitization methods are described in the documentation (the source code for the 'yf' script was not included for review).
Audit Metadata