Safety Report

Yfinance

Name: Yfinance
Rating: 5 (6 reviews)
Author: rizkydwicmt

@rizkydwicmt

Access Yahoo Finance data — stock prices, history, financials, options, dividends, news, and market screeners

436Downloads

3Installs

6Stars

3Versions

Finance & Accounting1,347 DevOps & Infrastructure1,045

Security Analysis

medium confidence

Clean0.04 risk

The skill appears to do what it says (install and register a Yahoo Finance MCP server and an OpenClaw skill), but the installer performs system-level changes and downloads an external install script which you should review before running.

Feb 17, 20262 files3 concerns

Purpose & Capabilityok

Name/description (Yahoo Finance data via an MCP server) align with the files and runtime instructions. The SKILL.md documents 12 tools matching the described finance capabilities and the installer bootstraps a Python package that provides them.

Instruction Scopenote

SKILL.md itself is scoped to finance queries. The included install.sh goes beyond mere local setup: it clones the GitHub repo, installs a helper tool (uv), creates a venv, installs the package, and can modify mcporter configuration and copy SKILL.md into an OpenClaw skills directory. Those config/file changes are expected for installation but are broader than just 'run this tool'.

Install Mechanismconcern

install.sh uses network operations: git clone from GitHub and curl | sh https://astral.sh/uv/install.sh to install 'uv'. Piping remote install scripts to sh is higher risk; the repo being cloned is a third‑party GitHub account rather than a well-known organization. The rest (creating venv, pip install -e) is standard.

Credentialsok

The skill does not request secrets or service credentials. The installer exposes optional environment variables to control paths and behavior (PROJECT_DIR, VENV_DIR, CLAWD_DIR, etc.) but does not require unrelated credentials or keys.

Persistence & Privilegeconcern

Installer can modify system config: it auto-detects and edits mcporter.json and writes files into an OpenClaw skills directory (default /root/clawd). While this is intended for registration, it does modify other system/agent configs and system paths—review and explicit consent are advisable. The skill is not force-enabled (always:false).

Guidance

This package is coherent with a Yahoo Finance MCP server, but the installer takes actions you should not run blindly. Before installing: (1) review the remote GitHub repo content; (2) avoid piping unknown scripts to sh—prefer installing 'uv' manually or inspect https://astral.sh/uv/install.sh first; (3) run the installer in a disposable environment or container if possible; (4) set SKIP_MCPORTER or SKIP_SKILL, or set CLAWD_DIR/MCPORTER_CONFIG to safe locations if you do not want it to edit global mcporter/OpenClaw config; (5) ensure you understand/consent to the changes the script makes (git clone, venv creation, pip install, and config file edits).

Latest Release

v0.1.2

- Added `install.sh` script for automated installation. - Enables one-command setup: Python environment, dependencies, mcporter config, and OpenClaw skill registration. - Supports customization via environment variables for project, venv, Python version, mcporter config, and skill directory. - Documentation updated with install steps and usage instructions for the new installer.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @rizkydwicmt on ClawHub