by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Things to consider before installing:
- The skill package contains no executable or script named 'yf' yet the README instructs you to chmod and symlink one. Ask the publisher to provide the 'yf' script or include code in the package.
- The SKILL.md recommends installing 'uv' by piping a remote install script (curl https://astral.sh/uv/install.sh | sh). Download-and-execute of remote scripts can run arbitrary code on your machine — do not run it without inspecting the script and trusting the host...详细分析 ▾
ℹ 用途与能力
The stated purpose (fetching Yahoo Finance data via yfinance) matches the libraries referenced (yfinance, rich). However the SKILL.md expects a local executable 'yf' under /path/to/skills/yahoo-finance/ which is not present in the package manifest (no code files). Requiring the 'uv' package manager is heavier than necessary for a simple yfinance script and is not justified by the description.
⚠ 指令范围
Instructions tell the user to run remote installation commands (curl https://astral.sh/uv/install.sh | sh or powershell invoke-expression), chmod and symlink a 'yf' binary into /usr/local/bin, and restart shells. Those steps grant the installer broad discretion (download-and-execute) and modify system paths. The skill's docs also assume files that are not bundled, which is a functional/integrity mismatch.
⚠ 安装机制
There is no formal install spec in registry metadata, but SKILL.md recommends installing 'uv' via a remote install script (curl | sh) from astral.sh. Download-and-execute from an external URL is a high-risk install pattern unless you inspect the script beforehand. The docs also suggest multiple install methods (curl installer, homebrew, pip) which is inconsistent but not necessarily malicious.
✓ 凭证需求
The skill declares no required environment variables, credentials, or config paths and the instructions do not request secrets. That is proportionate to the stated purpose.
ℹ 持久化与权限
The skill does not request 'always: true' and is user-invocable only. However the suggested install steps (symlinking /usr/local/bin/yf) modify system-wide PATH and require filesystem privileges — this is expected for a CLI but worth noting because it makes the system-wide impact larger if the installed components are untrusted.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/1/8
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install yahoo-finance
镜像加速npx clawhub@latest install yahoo-finance --registry https://cn.longxiaskill.com