Yahoo Finance

The stated purpose (fetching Yahoo Finance data via yfinance) matches the libraries referenced (yfinance, rich). However the SKILL.md expects a local executable 'yf' under /path/to/skills/yahoo-finance/ which is not present in the package manifest (no code files). Requiring the 'uv' package manager is heavier than necessary for a simple yfinance script and is not justified by the description.

Instructions tell the user to run remote installation commands (curl https://astral.sh/uv/install.sh | sh or powershell invoke-expression), chmod and symlink a 'yf' binary into /usr/local/bin, and restart shells. Those steps grant the installer broad discretion (download-and-execute) and modify system paths. The skill's docs also assume files that are not bundled, which is a functional/integrity mismatch.

There is no formal install spec in registry metadata, but SKILL.md recommends installing 'uv' via a remote install script (curl | sh) from astral.sh. Download-and-execute from an external URL is a high-risk install pattern unless you inspect the script beforehand. The docs also suggest multiple install methods (curl installer, homebrew, pip) which is inconsistent but not necessarily malicious.

The skill declares no required environment variables, credentials, or config paths and the instructions do not request secrets. That is proportionate to the stated purpose.

The skill does not request 'always: true' and is user-invocable only. However the suggested install steps (symlinking /usr/local/bin/yf) modify system-wide PATH and require filesystem privileges — this is expected for a CLI but worth noting because it makes the system-wide impact larger if the installed components are untrusted.