A Yahoo Finance (yfinance) powered financial analysis tool. Get real-time quotes, generate high-resolution charts with moving averages + indicators (RSI/MACD/Bollinger/VWAP/ATR), summarize fundamentals, and run a one-shot report that outputs both a text summary and a Pro chart.
Security Analysis
medium confidenceThe skill's behavior mostly matches its description (local indicator computation, yfinance lookups, PNG chart output), but the source is unknown, there's no homepage, and the provided script appears truncated so I couldn't fully review the tail of the code — that uncertainty combined with unknown origin warrants caution.
The name/description (yfinance-based quotes, indicators, charts, report) align with the included script: it fetches data with yfinance, computes RSI/MACD/Bollinger/VWAP/ATR locally, and writes a PNG report to /tmp. Declared (comment) dependencies match the operations (yfinance, pandas, matplotlib, mplfinance, rich).
SKILL.md instructs the agent to run the local Python script via `uv run --script scripts/yf.py` with arguments — that matches the script's CLI behavior. The script performs network calls to Yahoo Finance (expected), computes indicators locally, prints console reports, and writes chart files to /tmp. It does not request or read any environment variables or unusual system paths in the visible portion. HOWEVER the provided script listing is truncated (stops at `parser.add_argum...`), so the final argument parsing and the remainder of main() were not visible for review; that missing tail could contain additional behavior.
There is no install spec (instruction-only + one script file). No downloads or installation steps are included in the skill metadata; risk from install mechanism is low. The script does list dependencies in comments which would require pip installs if the environment doesn't already have them.
The skill declares no required environment variables, credentials, or config paths and the visible code does not access secrets or unrelated config. The script only uses network access to fetch public market data from Yahoo Finance — consistent with its purpose.
The skill is not configured as always:true and makes no attempt to persist or modify other skills or system-wide config in the visible code. It writes transient chart files to /tmp, which is expected for this functionality.
Guidance
This skill appears to do what it says (fetch Yahoo Finance data, compute indicators locally, render charts), but exercise caution before installing: 1) The package has no homepage and unknown source — prefer skills with a verifiable repository or maintainer. 2) The provided script output here is truncated; request the complete source and review the remainder of the file for any hidden network calls, shell execution, or filesystem access before running. 3) Install and run in an isolated environment (virtualenv or container) and only install dependencies from official PyPI packages. 4) Expect the script to fetch data from Yahoo (network traffic) and write PNGs to /tmp — if you need stricter controls, run it in a sandbox or with network monitoring. 5) If you will run this regularly in production or give it broader agent privileges, ask the maintainer for a complete source link and provenance; absence of a homepage/owner info raises provenance risk.
Latest Release
v1.2.10
Docs: rewrite SKILL.md in English for global users.
More by @kys42
Published by @kys42 on ClawHub
