yahoo-finance

The repository appears to be a benign CLI wrapper around yfinance for fetching Yahoo Finance data. There is no evidence in the provided content of direct credential harvesting, obfuscated malware, or explicit exfiltration. The primary security concern is the distribution/install approach: the README encourages pipe-to-shell installation of 'uv' from a third-party domain and relies on uv to install dependencies at first run. This creates a notable supply-chain risk because remote installer compromise or malicious transitive packages could execute arbitrary code on users' machines. Recommendations: do not run curl|sh or irm|iex blindly; prefer installing uv from official package sources or using standard, auditable methods (pip with pinned requirements and hash-checking/lockfile) or vendor dependencies; inspect the installer script on astral.sh before running; add a pinned dependency manifest or provide a virtualenv/requirements.txt to remove runtime install behavior. Overall malware likelihood is low based on the README alone, but the supply-chain attack surface is non-trivial.